Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gjEtERlBSv.exe

Overview

General Information

Sample name:gjEtERlBSv.exe
renamed because original name is a hash value
Original sample name:c8c6905d3e2717ea53f8448c119af925.exe
Analysis ID:1579638
MD5:c8c6905d3e2717ea53f8448c119af925
SHA1:0b0b6b1ca615684abd0bce6e8f6f4801a110cce5
SHA256:bd1ad8e97f2085b381ba0a732a14e85691b51646c3a055c9df74c0b1a6a84b48
Tags:exeuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • gjEtERlBSv.exe (PID: 8124 cmdline: "C:\Users\user\Desktop\gjEtERlBSv.exe" MD5: C8C6905D3E2717EA53F8448C119AF925)
    • gjEtERlBSv.tmp (PID: 8144 cmdline: "C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp" /SL5="$10486,3306304,56832,C:\Users\user\Desktop\gjEtERlBSv.exe" MD5: F6E6C1F765DAE0D68210B97C8290CD58)
      • universalvc22.exe (PID: 7260 cmdline: "C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe" -i MD5: B83F3237A6D166CCA9E6BD323F7D2E52)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-QT6M6.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000001.00000002.3153168010.0000000005A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000003.00000000.1302069496.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000003.00000002.3153414088.0000000002BBA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: universalvc22.exe PID: 7260JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  3.0.universalvc22.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T07:03:46.015972+010020287653Unknown Traffic192.168.2.1049974188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T07:03:46.694555+010028032742Potentially Bad Traffic192.168.2.1049974188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exeReversingLabs: Detection: 47%
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeReversingLabs: Detection: 47%
                    Source: gjEtERlBSv.exeReversingLabs: Detection: 42%
                    Source: gjEtERlBSv.exeVirustotal: Detection: 37%Perma Link
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeUnpacked PE file: 3.2.universalvc22.exe.400000.0.unpack
                    Source: gjEtERlBSv.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Universal Video Converter_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.10:49974 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-5EL68.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-OEOUM.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-5EL68.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-JKRV4.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-OEOUM.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49974 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49974 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a271ad4368d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_0253C59E InternetReadFile,3_2_0253C59E
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a271ad4368d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: gjEtERlBSv.tmp, 00000001.00000002.3153168010.0000000005B15000.00000004.00001000.00020000.00000000.sdmp, universalvc22.exe, 00000003.00000000.1302251841.00000000004FB000.00000002.00000001.01000000.00000009.sdmp, universalvc22.exe.1.dr, is-QT6M6.tmp.1.dr, UniversalVideoConverter.exe.3.drString found in binary or memory: http://wonderwork.ucoz.com/
                    Source: gjEtERlBSv.tmp, gjEtERlBSv.tmp, 00000001.00000000.1289809011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-OKSED.tmp.1.dr, gjEtERlBSv.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                    Source: gjEtERlBSv.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: gjEtERlBSv.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: gjEtERlBSv.exe, 00000000.00000003.1289322701.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000003.1289171334.0000000002480000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, gjEtERlBSv.tmp, 00000001.00000000.1289809011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-OKSED.tmp.1.dr, gjEtERlBSv.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: gjEtERlBSv.exe, 00000000.00000003.1289322701.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000003.1289171334.0000000002480000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000000.1289809011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-OKSED.tmp.1.dr, gjEtERlBSv.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: universalvc22.exe, 00000003.00000002.3152421194.00000000008E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: universalvc22.exe, 00000003.00000002.3152421194.00000000008E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/PJ
                    Source: universalvc22.exe, 00000003.00000002.3152421194.00000000008C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e3008881325
                    Source: gjEtERlBSv.exe, 00000000.00000003.1288807964.0000000002480000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000003.1288878020.00000000021F1000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000002.3152065220.00000000021F1000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000003.1290676933.0000000003110000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000002.3152875551.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000003.1290759770.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000002.3152343639.0000000000591000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.10:49974 version: TLS 1.2
                    Source: is-JKRV4.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_5f6d53f4-8
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004706A81_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004809F71_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004673A41_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00486BD01_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0045F0C41_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0045B1741_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004694041_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00487B301_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0048DF541_2_0048DF54
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_004010003_2_00401000
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_004067B73_2_004067B7
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609660FA3_2_609660FA
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6092114F3_2_6092114F
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6091F2C93_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096923E3_2_6096923E
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6093323D3_2_6093323D
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095C3143_2_6095C314
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609503123_2_60950312
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094D33B3_2_6094D33B
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6093B3683_2_6093B368
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096748C3_2_6096748C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6093F42E3_2_6093F42E
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609544703_2_60954470
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609615FA3_2_609615FA
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096A5EE3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096D6A43_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609606A83_2_609606A8
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609326543_2_60932654
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609556653_2_60955665
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094B7DB3_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6092F74D3_2_6092F74D
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609648073_2_60964807
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094E9BC3_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609379293_2_60937929
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6093FAD63_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096DAE83_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094DA3A3_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60936B273_2_60936B27
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60954CF63_2_60954CF6
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60950C6B3_2_60950C6B
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60966DF13_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60963D353_2_60963D35
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60909E9C3_2_60909E9C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60951E863_2_60951E86
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60912E0B3_2_60912E0B
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60954FF83_2_60954FF8
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_025194B33_2_025194B3
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_02502A703_2_02502A70
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024FBAED3_2_024FBAED
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024FD31F3_2_024FD31F
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024EE0793_2_024EE079
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024F70B03_2_024F70B0
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_0250266D3_2_0250266D
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024FBF053_2_024FBF05
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024F873A3_2_024F873A
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024FB5F93_2_024FB5F9
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_02500DA43_2_02500DA4
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\UniversalVideoConverter\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00457F1C appears 69 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00457D10 appears 90 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00403494 appears 80 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00403684 appears 210 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 00453344 appears 94 times
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: String function: 004460A4 appears 59 times
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: String function: 024F7750 appears 32 times
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: String function: 02502A00 appears 134 times
                    Source: gjEtERlBSv.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: gjEtERlBSv.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: gjEtERlBSv.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-OKSED.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-OKSED.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-OKSED.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.3.drStatic PE information: Number of sections : 19 > 10
                    Source: is-VUH3N.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: gjEtERlBSv.exe, 00000000.00000003.1289322701.00000000021F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs gjEtERlBSv.exe
                    Source: gjEtERlBSv.exe, 00000000.00000003.1289171334.0000000002480000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs gjEtERlBSv.exe
                    Source: gjEtERlBSv.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal92.troj.evad.winEXE@5/26@0/1
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024EF8C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_024EF8C0
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: CreateServiceA,CloseServiceHandle,3_2_0040D353
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_0040165C lstrcmpiW,StartServiceCtrlDispatcherA,3_2_0040165C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_0040165C lstrcmpiW,StartServiceCtrlDispatcherA,3_2_0040165C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_00401B77 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401B77
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_0040165C lstrcmpiW,StartServiceCtrlDispatcherA,3_2_0040165C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_00401D5D StartServiceCtrlDispatcherA,3_2_00401D5D
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeFile created: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmpJump to behavior
                    Source: Yara matchFile source: 3.0.universalvc22.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.3153168010.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.1302069496.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-QT6M6.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: universalvc22.exe, universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: universalvc22.exe, universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: universalvc22.exe, universalvc22.exe, 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-VUH3N.tmp.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: gjEtERlBSv.exeReversingLabs: Detection: 42%
                    Source: gjEtERlBSv.exeVirustotal: Detection: 37%
                    Source: gjEtERlBSv.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: gjEtERlBSv.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeFile read: C:\Users\user\Desktop\gjEtERlBSv.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\gjEtERlBSv.exe "C:\Users\user\Desktop\gjEtERlBSv.exe"
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp "C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp" /SL5="$10486,3306304,56832,C:\Users\user\Desktop\gjEtERlBSv.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe "C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe" -i
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp "C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp" /SL5="$10486,3306304,56832,C:\Users\user\Desktop\gjEtERlBSv.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe "C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Universal Video Converter_is1Jump to behavior
                    Source: gjEtERlBSv.exeStatic file information: File size 3555273 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-5EL68.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-OEOUM.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-5EL68.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-JKRV4.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-OEOUM.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeUnpacked PE file: 3.2.universalvc22.exe.400000.0.unpack _aitt_2:ER;_ajtt_2:R;_aktt_2:W;.rsrc:R;_altt_2:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeUnpacked PE file: 3.2.universalvc22.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: _aitt_2
                    Source: universalvc22.exe.1.drStatic PE information: section name: _aitt_2
                    Source: universalvc22.exe.1.drStatic PE information: section name: _ajtt_2
                    Source: universalvc22.exe.1.drStatic PE information: section name: _aktt_2
                    Source: universalvc22.exe.1.drStatic PE information: section name: _altt_2
                    Source: is-JKRV4.tmp.1.drStatic PE information: section name: Shared
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /4
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /19
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /35
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /51
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /63
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /77
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /89
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /102
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /113
                    Source: is-VUH3N.tmp.1.drStatic PE information: section name: /124
                    Source: UniversalVideoConverter.exe.3.drStatic PE information: section name: _aitt_2
                    Source: UniversalVideoConverter.exe.3.drStatic PE information: section name: _ajtt_2
                    Source: UniversalVideoConverter.exe.3.drStatic PE information: section name: _aktt_2
                    Source: UniversalVideoConverter.exe.3.drStatic PE information: section name: _altt_2
                    Source: sqlite3.dll.3.drStatic PE information: section name: /4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /19
                    Source: sqlite3.dll.3.drStatic PE information: section name: /35
                    Source: sqlite3.dll.3.drStatic PE information: section name: /51
                    Source: sqlite3.dll.3.drStatic PE information: section name: /63
                    Source: sqlite3.dll.3.drStatic PE information: section name: /77
                    Source: sqlite3.dll.3.drStatic PE information: section name: /89
                    Source: sqlite3.dll.3.drStatic PE information: section name: /102
                    Source: sqlite3.dll.3.drStatic PE information: section name: /113
                    Source: sqlite3.dll.3.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00409E4F push ds; ret 1_2_00409E50
                    Source: universalvc22.exe.1.drStatic PE information: section name: _aitt_2 entropy: 7.747341929566618
                    Source: UniversalVideoConverter.exe.3.drStatic PE information: section name: _aitt_2 entropy: 7.747341929566618

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_024EE8A2
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-VUH3N.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-5EL68.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeFile created: C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-2T40G.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-OEOUM.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeFile created: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\uninstall\is-OKSED.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-JKRV4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeFile created: C:\ProgramData\UniversalVideoConverter\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeFile created: C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeFile created: C:\ProgramData\UniversalVideoConverter\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_024EE8A2
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_0040165C lstrcmpiW,StartServiceCtrlDispatcherA,3_2_0040165C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_024EE9A6
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-VUH3N.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-5EL68.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-2T40G.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-OEOUM.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-JKRV4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\uninstall\is-OKSED.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_3-61610
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5972
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeAPI coverage: 3.1 %
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe TID: 7280Thread sleep count: 82 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe TID: 7280Thread sleep time: -164000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe TID: 6956Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe TID: 6956Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeThread delayed: delay time: 60000Jump to behavior
                    Source: universalvc22.exe, 00000003.00000002.3153981332.0000000003236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[
                    Source: universalvc22.exe, 00000003.00000002.3152421194.0000000000808000.00000004.00000020.00020000.00000000.sdmp, universalvc22.exe, 00000003.00000002.3153981332.0000000003236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeAPI call chain: ExitProcess graph end nodegraph_0-6769
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024F80F0 IsDebuggerPresent,3_2_024F80F0
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024FE6AE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_024FE6AE
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024E5E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,3_2_024E5E59
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024F80DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_024F80DA
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_024EE85A cpuid 3_2_024EE85A
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\gjEtERlBSv.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3153414088.0000000002BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: universalvc22.exe PID: 7260, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3153414088.0000000002BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: universalvc22.exe PID: 7260, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_609660FA
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,3_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60963143
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,3_2_6096923E
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,3_2_6096A38C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_6096748C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_609254B1
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6094B407
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6090F435 sqlite3_bind_parameter_index,3_2_6090F435
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,3_2_609255D4
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609255FF sqlite3_bind_text,3_2_609255FF
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,3_2_6094B54C
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60925686
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,3_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,3_2_609256E5
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6092562A sqlite3_bind_blob,3_2_6092562A
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,3_2_60925655
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6094C64A
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_609687A7
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,3_2_6092570B
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F772
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,3_2_60925778
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6090577D sqlite3_bind_parameter_name,3_2_6090577D
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B764
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6090576B sqlite3_bind_parameter_count,3_2_6090576B
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,3_2_6094A894
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F883
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,3_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,3_2_6096281E
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,3_2_6096583A
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,3_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6094A92B
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6090EAE5 sqlite3_transfer_bindings,3_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,3_2_6095FB98
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,3_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_60969D75
                    Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exeCode function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,3_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS35
                    System Information Discovery
                    Distributed Component Object ModelInput Capture12
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets141
                    Security Software Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync21
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection
                    Proc Filesystem1
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    gjEtERlBSv.exe42%ReversingLabsWin32.Trojan.Munp
                    gjEtERlBSv.exe38%VirustotalBrowse
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe100%Joe Sandbox ML
                    C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exe100%Joe Sandbox ML
                    C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exe48%ReversingLabsWin32.Adware.Generic
                    C:\ProgramData\UniversalVideoConverter\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-UBH39.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-2T40G.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-5EL68.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-JKRV4.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-OEOUM.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-VUH3N.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\uninstall\is-OKSED.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\uninstall\unins000.exe (copy)3%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe48%ReversingLabsWin32.Adware.Generic
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a271ad4368dfalse
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/gjEtERlBSv.tmp, gjEtERlBSv.tmp, 00000001.00000000.1289809011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-OKSED.tmp.1.dr, gjEtERlBSv.tmp.0.drfalse
                        high
                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinegjEtERlBSv.exefalse
                          high
                          http://wonderwork.ucoz.com/gjEtERlBSv.tmp, 00000001.00000002.3153168010.0000000005B15000.00000004.00001000.00020000.00000000.sdmp, universalvc22.exe, 00000003.00000000.1302251841.00000000004FB000.00000002.00000001.01000000.00000009.sdmp, universalvc22.exe.1.dr, is-QT6M6.tmp.1.dr, UniversalVideoConverter.exe.3.drfalse
                            high
                            http://www.remobjects.com/psUgjEtERlBSv.exe, 00000000.00000003.1289322701.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000003.1289171334.0000000002480000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000000.1289809011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-OKSED.tmp.1.dr, gjEtERlBSv.tmp.0.drfalse
                              high
                              https://188.119.66.185/ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e3008881325universalvc22.exe, 00000003.00000002.3152421194.00000000008C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                http://www.remobjects.com/psgjEtERlBSv.exe, 00000000.00000003.1289322701.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000003.1289171334.0000000002480000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, gjEtERlBSv.tmp, 00000001.00000000.1289809011.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-OKSED.tmp.1.dr, gjEtERlBSv.tmp.0.drfalse
                                  high
                                  https://www.easycutstudio.com/support.htmlgjEtERlBSv.exe, 00000000.00000003.1288807964.0000000002480000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000003.1288878020.00000000021F1000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.exe, 00000000.00000002.3152065220.00000000021F1000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000003.1290676933.0000000003110000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000002.3152875551.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000003.1290759770.00000000021F8000.00000004.00001000.00020000.00000000.sdmp, gjEtERlBSv.tmp, 00000001.00000002.3152343639.0000000000591000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://188.119.66.185/PJuniversalvc22.exe, 00000003.00000002.3152421194.00000000008E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUgjEtERlBSv.exefalse
                                        high
                                        https://188.119.66.185/universalvc22.exe, 00000003.00000002.3152421194.00000000008E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          188.119.66.185
                                          unknownRussian Federation
                                          209499FLYNETRUfalse
                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1579638
                                          Start date and time:2024-12-23 07:00:47 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 22s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Run name:Run with higher sleep bypass
                                          Number of analysed new started processes analysed:9
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:gjEtERlBSv.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:c8c6905d3e2717ea53f8448c119af925.exe
                                          Detection:MAL
                                          Classification:mal92.troj.evad.winEXE@5/26@0/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 92%
                                          • Number of executed functions: 179
                                          • Number of non-executed functions: 319
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          No simulations
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          188.119.66.185Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                            steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                              stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                  list.exeGet hashmaliciousSocks5SystemzBrowse
                                                    newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                      stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                        steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                          newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                            No context
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            FLYNETRUhttps://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eip&ts=67645d30Get hashmaliciousUnknownBrowse
                                                            • 188.119.66.154
                                                            https://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eil&ts=67645d30Get hashmaliciousUnknownBrowse
                                                            • 188.119.66.154
                                                            Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            list.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            51c64c77e60f3980eea90869b68c58a8WindowsUpdate.exeGet hashmaliciousUnknownBrowse
                                                            • 188.119.66.185
                                                            Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            list.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                            • 188.119.66.185
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\ProgramData\UniversalVideoConverter\sqlite3.dllHbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                              steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    list.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        stail.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              Process:C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3364587
                                                                              Entropy (8bit):6.499218559926888
                                                                              Encrypted:false
                                                                              SSDEEP:49152:5uFS1PaBNbZK5f6bsaP3dk7UsD1ddfQ52cu9i:zqNbgwbsaC7Ug1HI4cv
                                                                              MD5:B83F3237A6D166CCA9E6BD323F7D2E52
                                                                              SHA1:E39717A05F94F39C21F406197348A961D2BEA23B
                                                                              SHA-256:C5DF3E7683FD6AD00A36054604F278D8E8DB6ED4804BBFD9527FDFFDA51A2AE2
                                                                              SHA-512:D88CEBBCEA454568F70E6BDBDC4619F57FD01A940E23233C8D8CBF0764A434870CEF465763631003FEF618A4A769B641C6B8F4F893ACB468E33C397872F5FFA7
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\UniversalVideoConverter\UniversalVideoConverter.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 48%
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...k,gg.............................e............@...........................3.......3.....................................$........p..`...............................................................................L..........................._aitt_2.Z........................... ..`_ajtt_2.&4.......6..................@..@_aktt_2..d.......0..................@....rsrc........p......................@..@_altt_2..&"......$"..2..............`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):645592
                                                                              Entropy (8bit):6.50414583238337
                                                                              Encrypted:false
                                                                              SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                              MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                              SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                              SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                              SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: Hbq580QZAR.exe, Detection: malicious, Browse
                                                                              • Filename: steel.exe.2.exe, Detection: malicious, Browse
                                                                              • Filename: stories.exe.2.exe, Detection: malicious, Browse
                                                                              • Filename: basx.exe, Detection: malicious, Browse
                                                                              • Filename: list.exe, Detection: malicious, Browse
                                                                              • Filename: newwork.exe.1.exe, Detection: malicious, Browse
                                                                              • Filename: stail.exe.3.exe, Detection: malicious, Browse
                                                                              • Filename: steel.exe.3.exe, Detection: malicious, Browse
                                                                              • Filename: newwork.exe.1.exe, Detection: malicious, Browse
                                                                              Reputation:high, very likely benign file
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                              Process:C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8
                                                                              Entropy (8bit):2.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:RQlt:2
                                                                              MD5:7F3632A8163ABBEE00CD975477047483
                                                                              SHA1:E5BE40E3F1677C7A3F20915FC9128E280F96CE5C
                                                                              SHA-256:5AE0FFAA4D6F8D10F2C3D88700974BCEAEA325E3B3BF5204DBF73143D778F228
                                                                              SHA-512:AB566E4B9AE71005F3C75B26152356171ED5B0B8C6646CC0540686D43862ACF9910461A8C67E5C5363F942629A0174B9EE30EEBCC2428A66EF59AA62B9D23343
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:..hg....
                                                                              Process:C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):4
                                                                              Entropy (8bit):0.8112781244591328
                                                                              Encrypted:false
                                                                              SSDEEP:3:M:M
                                                                              MD5:4352D88A78AA39750BF70CD6F27BCAA5
                                                                              SHA1:3C585604E87F855973731FEA83E21FAB9392D2FC
                                                                              SHA-256:67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
                                                                              SHA-512:EDF92E3D4F80FC47D948EA2F17B9BFC742D34E2E785A7A4927F3E261E8BD9D400B648BFF2123B8396D24FB28F5869979E08D58B4B5D156E640344A2C0A54675D
                                                                              Malicious:false
                                                                              Preview:....
                                                                              Process:C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):128
                                                                              Entropy (8bit):2.9012093522336393
                                                                              Encrypted:false
                                                                              SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                              MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                              SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                              SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                              SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                              Malicious:false
                                                                              Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                              Process:C:\Users\user\Desktop\gjEtERlBSv.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):706560
                                                                              Entropy (8bit):6.506376082324033
                                                                              Encrypted:false
                                                                              SSDEEP:12288:OTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+BIq5MRxyF:uPcYn5c/rPx37/zHBA6pFptZ1CEwqMRU
                                                                              MD5:F6E6C1F765DAE0D68210B97C8290CD58
                                                                              SHA1:BD7E6DBF822C716CAEB02614180169F86D980215
                                                                              SHA-256:8BF41E4BCEFA26FC7CCBD90F04ADC8D064EB335BF327F7C73CEEE754EF1DA3F5
                                                                              SHA-512:4A9C2C968E3EA39C9018CB4DEDEE3D06649430FAA1076FA1EBA66B64569D3653F812C40A8B517EBC15612E8E73473DE694CD3BCC5D41127E012EDD4B6E60B75B
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2560
                                                                              Entropy (8bit):2.8818118453929262
                                                                              Encrypted:false
                                                                              SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                              MD5:A69559718AB506675E907FE49DEB71E9
                                                                              SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                              SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                              SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):6144
                                                                              Entropy (8bit):4.289297026665552
                                                                              Encrypted:false
                                                                              SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                              MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                              SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                              SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                              SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):23312
                                                                              Entropy (8bit):4.596242908851566
                                                                              Encrypted:false
                                                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1645320
                                                                              Entropy (8bit):6.787752063353702
                                                                              Encrypted:false
                                                                              SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                              MD5:871C903A90C45CA08A9D42803916C3F7
                                                                              SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                              SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                              SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):176128
                                                                              Entropy (8bit):6.204917493416147
                                                                              Encrypted:false
                                                                              SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                              MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                              SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                              SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                              SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):499712
                                                                              Entropy (8bit):6.414789978441117
                                                                              Encrypted:false
                                                                              SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                              MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                              SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                              SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                              SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:MS Windows HtmlHelp Data
                                                                              Category:dropped
                                                                              Size (bytes):78183
                                                                              Entropy (8bit):7.692742945771669
                                                                              Encrypted:false
                                                                              SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                              MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                              SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                              SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                              SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                              Malicious:false
                                                                              Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1645320
                                                                              Entropy (8bit):6.787752063353702
                                                                              Encrypted:false
                                                                              SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                              MD5:871C903A90C45CA08A9D42803916C3F7
                                                                              SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                              SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                              SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):348160
                                                                              Entropy (8bit):6.542655141037356
                                                                              Encrypted:false
                                                                              SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                              MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                              SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                              SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                              SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):3364587
                                                                              Entropy (8bit):6.499218211224164
                                                                              Encrypted:false
                                                                              SSDEEP:49152:muFS1PaBNbZK5f6bsaP3dk7UsD1ddfQ52cu9i:YqNbgwbsaC7Ug1HI4cv
                                                                              MD5:3A9B9FF703CFE29EE6E90225899AEA04
                                                                              SHA1:539B456454C5B770DF6A339E06FAA3963D63C7AA
                                                                              SHA-256:DD6D8CBF860DE46AC790B9F6147544738CF8CC6E3988F547E390E74DA79777D7
                                                                              SHA-512:EDA371444BDA941252E75F2EB507A714597C06AD7C7CABE72CC6AAF42DB091FB210F87141FDEAA3E63062F5481EF900AFFABEDBBFA70FE0AE054E6C4D216C334
                                                                              Malicious:false
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\is-QT6M6.tmp, Author: Joe Security
                                                                              Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...k,gg.............................e............@...........................3.......3.....................................$........p..`...............................................................................L..........................._aitt_2.Z........................... ..`_ajtt_2.&4.......6..................@..@_aktt_2..d.......0..................@....rsrc........p......................@..@_altt_2..&"......$"..2..............`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):645592
                                                                              Entropy (8bit):6.50414583238337
                                                                              Encrypted:false
                                                                              SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                              MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                              SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                              SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                              SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):499712
                                                                              Entropy (8bit):6.414789978441117
                                                                              Encrypted:false
                                                                              SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                              MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                              SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                              SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                              SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):348160
                                                                              Entropy (8bit):6.542655141037356
                                                                              Encrypted:false
                                                                              SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                              MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                              SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                              SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                              SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):645592
                                                                              Entropy (8bit):6.50414583238337
                                                                              Encrypted:false
                                                                              SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                              MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                              SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                              SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                              SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):717985
                                                                              Entropy (8bit):6.5149196353557155
                                                                              Encrypted:false
                                                                              SSDEEP:12288:2TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+BIq5MRxyFq:mPcYn5c/rPx37/zHBA6pFptZ1CEwqMRL
                                                                              MD5:A7A33AD716A6B17B0DD08B3C01BFFA95
                                                                              SHA1:76C0B7CDB62AEE0EF905E775EEB9B576923C6E30
                                                                              SHA-256:BABB77BD3DE73C3ECD35046C21C41A9822AC920CE4B2554D7527BD72ED65647B
                                                                              SHA-512:E87C33E0C2C7B2E884A46FB8E731EDD4AC29EDFF15232AA7F5638A7D48397D59B03DAE6B9661452695C65D614B4893895F8E9C8775A7D501B74CD1D8B18748EC
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:InnoSetup Log Universal Video Converter, version 0x30, 4819 bytes, 928100\user, "C:\Users\user\AppData\Local\Universal Video Converter 5.3.12"
                                                                              Category:dropped
                                                                              Size (bytes):4819
                                                                              Entropy (8bit):4.783939084748526
                                                                              Encrypted:false
                                                                              SSDEEP:96:TpzxTdWC38fp3r0A9+i+eOIh2xHa7ICSss/Lnqxlx8zx5x7x6xexx4AxaD/:zTdWC3Up3eHIh+gICSsAnKv4rta2KAi/
                                                                              MD5:60E0D081F7014338EFA8E1B9048122E3
                                                                              SHA1:597715AD72F35B10DB4E7F9A6AAFACA6D86A6F59
                                                                              SHA-256:B6A0AF5257C15FCDC79EF26F85A1CBBD8A72198572F329DE99390DDA7AACEAB0
                                                                              SHA-512:29CCD9E886512F2BF129A46CEECCFDDD90FE851D5B0FB9246FC1D712D03B2D1E0357042D762B051717F9D79D1A1DDDE593C3DB6EFA8D9F2F3598A3A9A666943B
                                                                              Malicious:false
                                                                              Preview:Inno Setup Uninstall Log (b)....................................Universal Video Converter.......................................................................................................Universal Video Converter.......................................................................................................0...........%...............................................................................................................f.3...................[....928100.user<C:\Users\user\AppData\Local\Universal Video Converter 5.3.12.............'.... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%..
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):717985
                                                                              Entropy (8bit):6.5149196353557155
                                                                              Encrypted:false
                                                                              SSDEEP:12288:2TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+BIq5MRxyFq:mPcYn5c/rPx37/zHBA6pFptZ1CEwqMRL
                                                                              MD5:A7A33AD716A6B17B0DD08B3C01BFFA95
                                                                              SHA1:76C0B7CDB62AEE0EF905E775EEB9B576923C6E30
                                                                              SHA-256:BABB77BD3DE73C3ECD35046C21C41A9822AC920CE4B2554D7527BD72ED65647B
                                                                              SHA-512:E87C33E0C2C7B2E884A46FB8E731EDD4AC29EDFF15232AA7F5638A7D48397D59B03DAE6B9661452695C65D614B4893895F8E9C8775A7D501B74CD1D8B18748EC
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:MS Windows HtmlHelp Data
                                                                              Category:dropped
                                                                              Size (bytes):78183
                                                                              Entropy (8bit):7.692742945771669
                                                                              Encrypted:false
                                                                              SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                              MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                              SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                              SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                              SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                              Malicious:false
                                                                              Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):176128
                                                                              Entropy (8bit):6.204917493416147
                                                                              Encrypted:false
                                                                              SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                              MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                              SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                              SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                              SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:modified
                                                                              Size (bytes):3364587
                                                                              Entropy (8bit):6.499218559926888
                                                                              Encrypted:false
                                                                              SSDEEP:49152:5uFS1PaBNbZK5f6bsaP3dk7UsD1ddfQ52cu9i:zqNbgwbsaC7Ug1HI4cv
                                                                              MD5:B83F3237A6D166CCA9E6BD323F7D2E52
                                                                              SHA1:E39717A05F94F39C21F406197348A961D2BEA23B
                                                                              SHA-256:C5DF3E7683FD6AD00A36054604F278D8E8DB6ED4804BBFD9527FDFFDA51A2AE2
                                                                              SHA-512:D88CEBBCEA454568F70E6BDBDC4619F57FD01A940E23233C8D8CBF0764A434870CEF465763631003FEF618A4A769B641C6B8F4F893ACB468E33C397872F5FFA7
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 48%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...k,gg.............................e............@...........................3.......3.....................................$........p..`...............................................................................L..........................._aitt_2.Z........................... ..`_ajtt_2.&4.......6..................@..@_aktt_2..d.......0..................@....rsrc........p......................@..@_altt_2..&"......$"..2..............`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.99785623813521
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                              • Inno Setup installer (109748/4) 1.08%
                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              File name:gjEtERlBSv.exe
                                                                              File size:3'555'273 bytes
                                                                              MD5:c8c6905d3e2717ea53f8448c119af925
                                                                              SHA1:0b0b6b1ca615684abd0bce6e8f6f4801a110cce5
                                                                              SHA256:bd1ad8e97f2085b381ba0a732a14e85691b51646c3a055c9df74c0b1a6a84b48
                                                                              SHA512:6c165c14a286681f23eefa3911f7b0820e371c3ac4e96dafec826c6e690414e368e4f8c89c0010c5296e2a3b0a8c2ad635c308611c5f9b38dc4bdbbbb8205c08
                                                                              SSDEEP:98304:MXBY9OCE+NDWczJBMg3CJZ4JiV4pwb3aZfOUY7ucWD:+BY9OrwDXzJBMgcWPezgTY7PWD
                                                                              TLSH:25F533716D584878E1CAECF2D5E51BF3126F32350CA91CA134DC8CBC1D466AED8866BB
                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                              Icon Hash:2d2e3797b32b2b99
                                                                              Entrypoint:0x40a5f8
                                                                              Entrypoint Section:CODE
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:1
                                                                              OS Version Minor:0
                                                                              File Version Major:1
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:1
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              add esp, FFFFFFC4h
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              xor eax, eax
                                                                              mov dword ptr [ebp-10h], eax
                                                                              mov dword ptr [ebp-24h], eax
                                                                              call 00007F78D0E47E03h
                                                                              call 00007F78D0E4900Ah
                                                                              call 00007F78D0E49299h
                                                                              call 00007F78D0E4933Ch
                                                                              call 00007F78D0E4B2DBh
                                                                              call 00007F78D0E4DC46h
                                                                              call 00007F78D0E4DDADh
                                                                              xor eax, eax
                                                                              push ebp
                                                                              push 0040ACC9h
                                                                              push dword ptr fs:[eax]
                                                                              mov dword ptr fs:[eax], esp
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 0040AC92h
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              mov eax, dword ptr [0040C014h]
                                                                              call 00007F78D0E4E85Bh
                                                                              call 00007F78D0E4E446h
                                                                              cmp byte ptr [0040B234h], 00000000h
                                                                              je 00007F78D0E4F33Eh
                                                                              call 00007F78D0E4E958h
                                                                              xor eax, eax
                                                                              call 00007F78D0E48AF9h
                                                                              lea edx, dword ptr [ebp-10h]
                                                                              xor eax, eax
                                                                              call 00007F78D0E4B8EBh
                                                                              mov edx, dword ptr [ebp-10h]
                                                                              mov eax, 0040CE28h
                                                                              call 00007F78D0E47E9Ah
                                                                              push 00000002h
                                                                              push 00000000h
                                                                              push 00000001h
                                                                              mov ecx, dword ptr [0040CE28h]
                                                                              mov dl, 01h
                                                                              mov eax, 0040738Ch
                                                                              call 00007F78D0E4C17Ah
                                                                              mov dword ptr [0040CE2Ch], eax
                                                                              xor edx, edx
                                                                              push ebp
                                                                              push 0040AC4Ah
                                                                              push dword ptr fs:[edx]
                                                                              mov dword ptr fs:[edx], esp
                                                                              call 00007F78D0E4E8B6h
                                                                              mov dword ptr [0040CE34h], eax
                                                                              mov eax, dword ptr [0040CE34h]
                                                                              cmp dword ptr [eax+0Ch], 00000000h
                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x110000x2c000x2c00456d94581227f09a9add53cc70970420False0.3259943181818182data4.49666964679148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                              RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                              RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                              RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                              RT_STRING0x125740x2f2data0.35543766578249336
                                                                              RT_STRING0x128680x30cdata0.3871794871794872
                                                                              RT_STRING0x12b740x2cedata0.42618384401114207
                                                                              RT_STRING0x12e440x68data0.75
                                                                              RT_STRING0x12eac0xb4data0.6277777777777778
                                                                              RT_STRING0x12f600xaedata0.5344827586206896
                                                                              RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                              RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                              RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2657728706624606
                                                                              RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                              DLLImport
                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                              user32.dllMessageBoxA
                                                                              oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                              kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                              user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                              comctl32.dllInitCommonControls
                                                                              advapi32.dllAdjustTokenPrivileges
                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              DutchNetherlands
                                                                              EnglishUnited States
                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-12-23T07:03:46.015972+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1049974188.119.66.185443TCP
                                                                              2024-12-23T07:03:46.694555+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049974188.119.66.185443TCP
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 23, 2024 07:03:44.522262096 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:44.522313118 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:44.525718927 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:44.538305998 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:44.538316011 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:46.015878916 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:46.015971899 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:46.083190918 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:46.083228111 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:46.083664894 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:46.083828926 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:46.086697102 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:46.127335072 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:46.694576025 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:46.694648027 CET44349974188.119.66.185192.168.2.10
                                                                              Dec 23, 2024 07:03:46.694750071 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:46.698546886 CET49974443192.168.2.10188.119.66.185
                                                                              Dec 23, 2024 07:03:46.698573112 CET44349974188.119.66.185192.168.2.10
                                                                              • 188.119.66.185
                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.1049974188.119.66.1854437260C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-23 06:03:46 UTC283OUTGET /ai/?key=8f3f2b3ab913463e2a4cb7a3231e72eee7c4db7e40b82a8dcd6c946851e30088813250aa158405633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a271ad4368d HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                              Host: 188.119.66.185
                                                                              2024-12-23 06:03:46 UTC200INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Mon, 23 Dec 2024 06:03:46 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Powered-By: PHP/7.4.33
                                                                              2024-12-23 06:03:46 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: e8b723663ec13250


                                                                              Click to jump to process

                                                                              Click to jump to process

                                                                              Click to dive into process behavior distribution

                                                                              Click to jump to process

                                                                              Target ID:0
                                                                              Start time:01:01:39
                                                                              Start date:23/12/2024
                                                                              Path:C:\Users\user\Desktop\gjEtERlBSv.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\gjEtERlBSv.exe"
                                                                              Imagebase:0x400000
                                                                              File size:3'555'273 bytes
                                                                              MD5 hash:C8C6905D3E2717EA53F8448C119AF925
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Target ID:1
                                                                              Start time:01:01:39
                                                                              Start date:23/12/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-FKC7J.tmp\gjEtERlBSv.tmp" /SL5="$10486,3306304,56832,C:\Users\user\Desktop\gjEtERlBSv.exe"
                                                                              Imagebase:0x400000
                                                                              File size:706'560 bytes
                                                                              MD5 hash:F6E6C1F765DAE0D68210B97C8290CD58
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.3153168010.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 3%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Target ID:3
                                                                              Start time:01:01:40
                                                                              Start date:23/12/2024
                                                                              Path:C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe" -i
                                                                              Imagebase:0x400000
                                                                              File size:3'364'587 bytes
                                                                              MD5 hash:B83F3237A6D166CCA9E6BD323F7D2E52
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1302069496.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3153414088.0000000002BBA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 48%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:21.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:2.4%
                                                                                Total number of Nodes:1520
                                                                                Total number of Limit Nodes:22
                                                                                execution_graph 5451 407548 5452 407554 CloseHandle 5451->5452 5453 40755d 5451->5453 5452->5453 6688 402b48 RaiseException 5893 407749 5894 4076dc WriteFile 5893->5894 5899 407724 5893->5899 5895 4076e8 5894->5895 5896 4076ef 5894->5896 5897 40748c 35 API calls 5895->5897 5898 407700 5896->5898 5900 4073ec 34 API calls 5896->5900 5897->5896 5899->5893 5901 4077e0 5899->5901 5900->5898 5902 4078db InterlockedExchange 5901->5902 5904 407890 5901->5904 5903 4078e7 5902->5903 6689 40294a 6690 402952 6689->6690 6691 403554 4 API calls 6690->6691 6692 402967 6690->6692 6691->6690 6693 403f4a 6694 403f53 6693->6694 6695 403f5c 6693->6695 6697 403f07 6694->6697 6700 403f09 6697->6700 6699 403f3c 6699->6695 6702 403e9c 6700->6702 6703 403154 4 API calls 6700->6703 6707 403f3d 6700->6707 6720 403e9c 6700->6720 6701 403ef2 6705 402674 4 API calls 6701->6705 6702->6699 6702->6701 6709 403ea9 6702->6709 6711 403e8e 6702->6711 6703->6700 6708 403ecf 6705->6708 6707->6695 6708->6695 6709->6708 6710 402674 4 API calls 6709->6710 6710->6708 6712 403e4c 6711->6712 6713 403e67 6712->6713 6714 403e62 6712->6714 6715 403e7b 6712->6715 6718 403e78 6713->6718 6719 402674 4 API calls 6713->6719 6717 403cc8 4 API calls 6714->6717 6716 402674 4 API calls 6715->6716 6716->6718 6717->6713 6718->6701 6718->6709 6719->6718 6721 403ed7 6720->6721 6726 403ea9 6720->6726 6722 403ef2 6721->6722 6723 403e8e 4 API calls 6721->6723 6724 402674 4 API calls 6722->6724 6725 403ee6 6723->6725 6728 403ecf 6724->6728 6725->6722 6725->6726 6727 402674 4 API calls 6726->6727 6726->6728 6727->6728 6728->6700 6247 40ac4f 6248 40abc1 6247->6248 6249 4094d8 9 API calls 6248->6249 6251 40abed 6248->6251 6249->6251 6250 40ac06 6252 40ac1a 6250->6252 6253 40ac0f DestroyWindow 6250->6253 6251->6250 6254 40ac00 RemoveDirectoryA 6251->6254 6255 40ac42 6252->6255 6256 40357c 4 API calls 6252->6256 6253->6252 6254->6250 6257 40ac38 6256->6257 6258 4025ac 4 API calls 6257->6258 6258->6255 6259 403a52 6260 403a5a WriteFile 6259->6260 6262 403a74 6259->6262 6261 403a78 GetLastError 6260->6261 6260->6262 6261->6262 6263 402654 6264 403154 4 API calls 6263->6264 6265 402614 6264->6265 6266 402632 6265->6266 6267 403154 4 API calls 6265->6267 6267->6266 6268 40ac56 6269 40ac5d 6268->6269 6271 40ac88 6268->6271 6278 409448 6269->6278 6273 403198 4 API calls 6271->6273 6272 40ac62 6272->6271 6275 40ac80 MessageBoxA 6272->6275 6274 40acc0 6273->6274 6276 403198 4 API calls 6274->6276 6275->6271 6277 40acc8 6276->6277 6279 409454 GetCurrentProcess OpenProcessToken 6278->6279 6280 4094af ExitWindowsEx 6278->6280 6281 409466 6279->6281 6282 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6279->6282 6280->6281 6281->6272 6282->6280 6282->6281 6737 40995e 6738 409960 6737->6738 6739 409982 6738->6739 6740 40999e CallWindowProcA 6738->6740 6740->6739 6741 409960 6742 409982 6741->6742 6743 40996f 6741->6743 6743->6742 6744 40999e CallWindowProcA 6743->6744 6744->6742 6745 405160 6746 405173 6745->6746 6747 404e58 33 API calls 6746->6747 6748 405187 6747->6748 6283 402e64 6284 402e69 6283->6284 6285 402e7a RtlUnwind 6284->6285 6286 402e5e 6284->6286 6287 402e9d 6285->6287 5905 40766c SetFilePointer 5906 4076a3 5905->5906 5907 407693 GetLastError 5905->5907 5907->5906 5908 40769c 5907->5908 5909 40748c 35 API calls 5908->5909 5909->5906 6300 40667c IsDBCSLeadByte 6301 406694 6300->6301 6761 403f7d 6762 403fa2 6761->6762 6763 403f84 6761->6763 6762->6763 6765 403e8e 4 API calls 6762->6765 6764 403f8c 6763->6764 6766 402674 4 API calls 6763->6766 6765->6763 6767 403fca 6766->6767 6768 403d02 6770 403d12 6768->6770 6769 403ddf ExitProcess 6770->6769 6771 403db8 6770->6771 6774 403dea 6770->6774 6778 403da4 6770->6778 6779 403d8f MessageBoxA 6770->6779 6772 403cc8 4 API calls 6771->6772 6773 403dc2 6772->6773 6775 403cc8 4 API calls 6773->6775 6776 403dcc 6775->6776 6788 4019dc 6776->6788 6784 403fe4 6778->6784 6779->6771 6780 403dd1 6780->6769 6780->6774 6785 403fe8 6784->6785 6786 403f07 4 API calls 6785->6786 6787 404006 6786->6787 6789 401abb 6788->6789 6790 4019ed 6788->6790 6789->6780 6791 401a04 RtlEnterCriticalSection 6790->6791 6792 401a0e LocalFree 6790->6792 6791->6792 6793 401a41 6792->6793 6794 401a2f VirtualFree 6793->6794 6795 401a49 6793->6795 6794->6793 6796 401a70 LocalFree 6795->6796 6797 401a87 6795->6797 6796->6796 6796->6797 6798 401aa9 RtlDeleteCriticalSection 6797->6798 6799 401a9f RtlLeaveCriticalSection 6797->6799 6798->6780 6799->6798 6306 404206 6307 4041cc 6306->6307 6308 40420a 6306->6308 6309 403154 4 API calls 6308->6309 6310 404282 6308->6310 6311 404323 6309->6311 6312 402c08 6313 402c82 6312->6313 6316 402c19 6312->6316 6314 402c56 RtlUnwind 6315 403154 4 API calls 6314->6315 6315->6313 6316->6313 6316->6314 6319 402b28 6316->6319 6320 402b31 RaiseException 6319->6320 6321 402b47 6319->6321 6320->6321 6321->6314 6322 408c10 6323 408c17 6322->6323 6324 403198 4 API calls 6323->6324 6332 408cb1 6324->6332 6325 408cdc 6326 4031b8 4 API calls 6325->6326 6327 408d69 6326->6327 6328 408cc8 6330 4032fc 18 API calls 6328->6330 6329 403278 18 API calls 6329->6332 6330->6325 6331 4032fc 18 API calls 6331->6332 6332->6325 6332->6328 6332->6329 6332->6331 6337 40a814 6338 40a839 6337->6338 6339 40993c 29 API calls 6338->6339 6342 40a83e 6339->6342 6340 40a891 6371 4026c4 GetSystemTime 6340->6371 6342->6340 6345 408dd8 18 API calls 6342->6345 6343 40a896 6344 409330 46 API calls 6343->6344 6346 40a89e 6344->6346 6347 40a86d 6345->6347 6348 4031e8 18 API calls 6346->6348 6351 40a875 MessageBoxA 6347->6351 6349 40a8ab 6348->6349 6350 406928 19 API calls 6349->6350 6352 40a8b8 6350->6352 6351->6340 6353 40a882 6351->6353 6354 4066c0 19 API calls 6352->6354 6355 405864 19 API calls 6353->6355 6356 40a8c8 6354->6356 6355->6340 6357 406638 19 API calls 6356->6357 6358 40a8d9 6357->6358 6359 403340 18 API calls 6358->6359 6360 40a8e7 6359->6360 6361 4031e8 18 API calls 6360->6361 6362 40a8f7 6361->6362 6363 4074e0 37 API calls 6362->6363 6364 40a936 6363->6364 6365 402594 18 API calls 6364->6365 6366 40a956 6365->6366 6367 407a28 19 API calls 6366->6367 6368 40a998 6367->6368 6369 407cb8 35 API calls 6368->6369 6370 40a9bf 6369->6370 6371->6343 5449 407017 5450 407008 SetErrorMode 5449->5450 6372 403018 6373 403070 6372->6373 6374 403025 6372->6374 6375 40302a RtlUnwind 6374->6375 6376 40304e 6375->6376 6378 402f78 6376->6378 6379 402be8 6376->6379 6380 402bf1 RaiseException 6379->6380 6381 402c04 6379->6381 6380->6381 6381->6373 6386 40901e 6387 409010 6386->6387 6388 408fac Wow64RevertWow64FsRedirection 6387->6388 6389 409018 6388->6389 6390 409020 SetLastError 6391 409029 6390->6391 6406 403a28 ReadFile 6407 403a46 6406->6407 6408 403a49 GetLastError 6406->6408 5910 40762c ReadFile 5911 407663 5910->5911 5912 40764c 5910->5912 5913 407652 GetLastError 5912->5913 5914 40765c 5912->5914 5913->5911 5913->5914 5915 40748c 35 API calls 5914->5915 5915->5911 6810 40712e 6811 407118 6810->6811 6812 403198 4 API calls 6811->6812 6813 407120 6812->6813 6814 403198 4 API calls 6813->6814 6815 407128 6814->6815 5930 40a82f 5931 409ae8 18 API calls 5930->5931 5932 40a834 5931->5932 5933 40a839 5932->5933 5934 402f24 5 API calls 5932->5934 5967 40993c 5933->5967 5934->5933 5936 40a891 5972 4026c4 GetSystemTime 5936->5972 5938 40a83e 5938->5936 6033 408dd8 5938->6033 5939 40a896 5973 409330 5939->5973 5943 40a86d 5947 40a875 MessageBoxA 5943->5947 5944 4031e8 18 API calls 5945 40a8ab 5944->5945 5991 406928 5945->5991 5947->5936 5949 40a882 5947->5949 6036 405864 5949->6036 5954 40a8d9 6018 403340 5954->6018 5956 40a8e7 5957 4031e8 18 API calls 5956->5957 5958 40a8f7 5957->5958 5959 4074e0 37 API calls 5958->5959 5960 40a936 5959->5960 5961 402594 18 API calls 5960->5961 5962 40a956 5961->5962 5963 407a28 19 API calls 5962->5963 5964 40a998 5963->5964 5965 407cb8 35 API calls 5964->5965 5966 40a9bf 5965->5966 6040 40953c 5967->6040 5970 4098cc 19 API calls 5971 40995c 5970->5971 5971->5938 5972->5939 5976 409350 5973->5976 5977 409375 CreateDirectoryA 5976->5977 5981 408dd8 18 API calls 5976->5981 5983 404c94 33 API calls 5976->5983 5986 407284 19 API calls 5976->5986 5989 408da8 18 API calls 5976->5989 5990 405890 18 API calls 5976->5990 6096 406cf4 5976->6096 6119 409224 5976->6119 5978 4093ed 5977->5978 5979 40937f GetLastError 5977->5979 5980 40322c 4 API calls 5978->5980 5979->5976 5982 4093f7 5980->5982 5981->5976 5984 4031b8 4 API calls 5982->5984 5983->5976 5985 409411 5984->5985 5987 4031b8 4 API calls 5985->5987 5986->5976 5988 40941e 5987->5988 5988->5944 5989->5976 5990->5976 6225 406820 5991->6225 5994 403454 18 API calls 5995 40694a 5994->5995 5996 4066c0 5995->5996 6230 4068e4 5996->6230 5999 4066f0 6002 403340 18 API calls 5999->6002 6000 4066fe 6001 403454 18 API calls 6000->6001 6003 406711 6001->6003 6004 4066fc 6002->6004 6005 403340 18 API calls 6003->6005 6006 403198 4 API calls 6004->6006 6005->6004 6007 406733 6006->6007 6008 406638 6007->6008 6009 406642 6008->6009 6010 406665 6008->6010 6236 406950 6009->6236 6012 40322c 4 API calls 6010->6012 6014 40666e 6012->6014 6013 406649 6013->6010 6015 406654 6013->6015 6014->5954 6016 403340 18 API calls 6015->6016 6017 406662 6016->6017 6017->5954 6019 403344 6018->6019 6020 4033a5 6018->6020 6021 4031e8 6019->6021 6022 40334c 6019->6022 6026 403254 18 API calls 6021->6026 6028 4031fc 6021->6028 6022->6020 6024 40335b 6022->6024 6027 4031e8 18 API calls 6022->6027 6023 403228 6023->5956 6025 403254 18 API calls 6024->6025 6030 403375 6025->6030 6026->6028 6027->6024 6028->6023 6029 4025ac 4 API calls 6028->6029 6029->6023 6031 4031e8 18 API calls 6030->6031 6032 4033a1 6031->6032 6032->5956 6034 408da8 18 API calls 6033->6034 6035 408df4 6034->6035 6035->5943 6037 405869 6036->6037 6038 405940 19 API calls 6037->6038 6039 40587b 6038->6039 6039->6039 6046 40955b 6040->6046 6041 409590 6043 40959d GetUserDefaultLangID 6041->6043 6048 409592 6041->6048 6042 409594 6052 407024 GetModuleHandleA GetProcAddress 6042->6052 6043->6048 6046->6041 6046->6042 6047 40956f 6046->6047 6047->5970 6048->6047 6049 4095cb GetACP 6048->6049 6050 4095ef 6048->6050 6049->6047 6049->6048 6050->6047 6051 409615 GetACP 6050->6051 6051->6047 6051->6050 6053 407067 6052->6053 6054 40705e 6052->6054 6055 407070 6053->6055 6056 4070a8 6053->6056 6063 403198 4 API calls 6054->6063 6073 406f68 6055->6073 6057 406f68 RegOpenKeyExA 6056->6057 6061 4070c1 6057->6061 6059 407089 6060 4070de 6059->6060 6076 406f5c 6059->6076 6065 40322c 4 API calls 6060->6065 6061->6060 6064 406f5c 20 API calls 6061->6064 6067 407120 6063->6067 6068 4070d5 RegCloseKey 6064->6068 6069 4070eb 6065->6069 6070 403198 4 API calls 6067->6070 6068->6060 6071 4032fc 18 API calls 6069->6071 6072 407128 6070->6072 6071->6054 6072->6048 6074 406f73 6073->6074 6075 406f79 RegOpenKeyExA 6073->6075 6074->6075 6075->6059 6079 406e10 6076->6079 6080 406e36 RegQueryValueExA 6079->6080 6085 406e7b 6080->6085 6087 406e59 6080->6087 6081 406e73 6083 403198 4 API calls 6081->6083 6082 403198 4 API calls 6084 406f47 RegCloseKey 6082->6084 6083->6085 6084->6060 6085->6082 6086 403278 18 API calls 6086->6087 6087->6081 6087->6085 6087->6086 6088 403420 18 API calls 6087->6088 6089 406eb0 RegQueryValueExA 6088->6089 6089->6080 6090 406ecc 6089->6090 6090->6085 6091 4034f0 18 API calls 6090->6091 6092 406f0e 6091->6092 6093 406f20 6092->6093 6095 403420 18 API calls 6092->6095 6094 4031e8 18 API calls 6093->6094 6094->6085 6095->6093 6138 406a58 6096->6138 6099 406d26 6101 406a58 19 API calls 6099->6101 6103 406d72 6099->6103 6102 406d36 6101->6102 6104 406d42 6102->6104 6107 406a34 21 API calls 6102->6107 6146 406888 6103->6146 6104->6103 6105 406d67 6104->6105 6108 406a58 19 API calls 6104->6108 6105->6103 6158 406cc8 GetWindowsDirectoryA 6105->6158 6107->6104 6111 406d5b 6108->6111 6111->6105 6114 406a34 21 API calls 6111->6114 6112 406638 19 API calls 6113 406d87 6112->6113 6115 40322c 4 API calls 6113->6115 6114->6105 6116 406d91 6115->6116 6117 4031b8 4 API calls 6116->6117 6118 406dab 6117->6118 6118->5976 6120 409244 6119->6120 6121 406638 19 API calls 6120->6121 6122 40925d 6121->6122 6123 40322c 4 API calls 6122->6123 6130 409268 6123->6130 6124 406978 20 API calls 6124->6130 6126 408dd8 18 API calls 6126->6130 6127 4033b4 18 API calls 6127->6130 6128 405890 18 API calls 6128->6130 6130->6124 6130->6126 6130->6127 6130->6128 6131 4092e4 6130->6131 6198 4091b0 6130->6198 6206 409034 6130->6206 6132 40322c 4 API calls 6131->6132 6133 4092ef 6132->6133 6134 4031b8 4 API calls 6133->6134 6135 409309 6134->6135 6136 403198 4 API calls 6135->6136 6137 409311 6136->6137 6137->5976 6139 4034f0 18 API calls 6138->6139 6140 406a6b 6139->6140 6141 406a82 GetEnvironmentVariableA 6140->6141 6145 406a95 6140->6145 6160 406dec 6140->6160 6141->6140 6142 406a8e 6141->6142 6143 403198 4 API calls 6142->6143 6143->6145 6145->6099 6155 406a34 6145->6155 6147 403414 6146->6147 6148 4068ab GetFullPathNameA 6147->6148 6149 4068b7 6148->6149 6150 4068ce 6148->6150 6149->6150 6151 4068bf 6149->6151 6152 40322c 4 API calls 6150->6152 6153 403278 18 API calls 6151->6153 6154 4068cc 6152->6154 6153->6154 6154->6112 6164 4069dc 6155->6164 6159 406ce9 6158->6159 6159->6103 6161 406dfa 6160->6161 6162 4034f0 18 API calls 6161->6162 6163 406e08 6162->6163 6163->6140 6171 406978 6164->6171 6166 4069fe 6167 406a06 GetFileAttributesA 6166->6167 6168 406a1b 6167->6168 6169 403198 4 API calls 6168->6169 6170 406a23 6169->6170 6170->6099 6181 406744 6171->6181 6173 4069b0 6176 4069c6 6173->6176 6177 4069bb 6173->6177 6175 406989 6175->6173 6188 406970 CharPrevA 6175->6188 6189 403454 6176->6189 6178 40322c 4 API calls 6177->6178 6180 4069c4 6178->6180 6180->6166 6182 406755 6181->6182 6183 4067b9 6182->6183 6187 406773 6182->6187 6184 406680 IsDBCSLeadByte 6183->6184 6185 4067b4 6183->6185 6184->6185 6185->6175 6187->6185 6196 406680 IsDBCSLeadByte 6187->6196 6188->6175 6190 403486 6189->6190 6191 403459 6189->6191 6192 403198 4 API calls 6190->6192 6191->6190 6194 40346d 6191->6194 6193 40347c 6192->6193 6193->6180 6195 403278 18 API calls 6194->6195 6195->6193 6197 406694 6196->6197 6197->6187 6199 403198 4 API calls 6198->6199 6201 4091d1 6199->6201 6203 4091fe 6201->6203 6215 4032a8 6201->6215 6218 403494 6201->6218 6204 403198 4 API calls 6203->6204 6205 409213 6204->6205 6205->6130 6207 408f70 2 API calls 6206->6207 6208 40904a 6207->6208 6209 40904e 6208->6209 6222 406a48 6208->6222 6209->6130 6212 409081 6213 408fac Wow64RevertWow64FsRedirection 6212->6213 6214 409089 6213->6214 6214->6130 6216 403278 18 API calls 6215->6216 6217 4032b5 6216->6217 6217->6201 6219 403498 6218->6219 6221 4034c3 6218->6221 6220 4034f0 18 API calls 6219->6220 6220->6221 6221->6201 6223 4069dc 21 API calls 6222->6223 6224 406a52 GetLastError 6223->6224 6224->6212 6226 406744 IsDBCSLeadByte 6225->6226 6228 406835 6226->6228 6227 40687f 6227->5994 6228->6227 6229 406680 IsDBCSLeadByte 6228->6229 6229->6228 6231 4068f3 6230->6231 6232 406820 IsDBCSLeadByte 6231->6232 6235 4068fe 6232->6235 6233 4066ea 6233->5999 6233->6000 6234 406680 IsDBCSLeadByte 6234->6235 6235->6233 6235->6234 6237 406957 6236->6237 6238 40695b 6236->6238 6237->6013 6241 406970 CharPrevA 6238->6241 6240 40696c 6240->6013 6241->6240 6816 408f30 6819 408dfc 6816->6819 6820 408e05 6819->6820 6821 403198 4 API calls 6820->6821 6822 408e13 6820->6822 6821->6820 6823 403932 6824 403924 6823->6824 6825 40374c VariantClear 6824->6825 6826 40392c 6825->6826 5386 4075c4 SetFilePointer 5387 4075f7 5386->5387 5388 4075e7 GetLastError 5386->5388 5388->5387 5389 4075f0 5388->5389 5391 40748c GetLastError 5389->5391 5394 4073ec 5391->5394 5395 407284 19 API calls 5394->5395 5397 407414 5395->5397 5396 407434 5399 405890 18 API calls 5396->5399 5397->5396 5398 405194 33 API calls 5397->5398 5398->5396 5400 407443 5399->5400 5401 403198 4 API calls 5400->5401 5402 407460 5401->5402 5402->5387 6417 4076c8 WriteFile 6418 4076e8 6417->6418 6421 4076ef 6417->6421 6419 40748c 35 API calls 6418->6419 6419->6421 6420 407700 6421->6420 6422 4073ec 34 API calls 6421->6422 6422->6420 6423 402ccc 6426 402cfe 6423->6426 6427 402cdd 6423->6427 6424 402d88 RtlUnwind 6425 403154 4 API calls 6424->6425 6425->6426 6427->6424 6427->6426 6428 402b28 RaiseException 6427->6428 6429 402d7f 6428->6429 6429->6424 6835 403fcd 6836 403f07 4 API calls 6835->6836 6837 403fd6 6836->6837 6838 403e9c 4 API calls 6837->6838 6839 403fe2 6838->6839 6436 4024d0 6437 4024e4 6436->6437 6438 4024e9 6436->6438 6441 401918 4 API calls 6437->6441 6439 402518 6438->6439 6440 40250e RtlEnterCriticalSection 6438->6440 6443 4024ed 6438->6443 6451 402300 6439->6451 6440->6439 6441->6438 6444 402525 6447 402581 6444->6447 6448 402577 RtlLeaveCriticalSection 6444->6448 6446 401fd4 14 API calls 6449 402531 6446->6449 6448->6447 6449->6444 6450 40215c 9 API calls 6449->6450 6450->6444 6452 402314 6451->6452 6454 4023b8 6452->6454 6455 402335 6452->6455 6453 402344 6453->6444 6453->6446 6454->6453 6456 401d80 9 API calls 6454->6456 6459 402455 6454->6459 6461 401e84 6454->6461 6455->6453 6457 401b74 9 API calls 6455->6457 6456->6454 6457->6453 6459->6453 6460 401d00 9 API calls 6459->6460 6460->6453 6466 401768 6461->6466 6463 401e99 6464 401ea6 6463->6464 6465 401dcc 9 API calls 6463->6465 6464->6454 6465->6464 6468 401787 6466->6468 6467 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6467->6468 6468->6467 6469 40183b 6468->6469 6470 40132c LocalAlloc 6468->6470 6472 401821 6468->6472 6474 4017d6 6468->6474 6471 4015c4 VirtualAlloc 6469->6471 6475 4017e7 6469->6475 6470->6468 6471->6475 6473 40150c VirtualFree 6472->6473 6473->6475 6476 40150c VirtualFree 6474->6476 6475->6463 6476->6475 6477 4028d2 6478 4028da 6477->6478 6479 403554 4 API calls 6478->6479 6480 4028ef 6478->6480 6479->6478 6481 4025ac 4 API calls 6480->6481 6482 4028f4 6481->6482 6840 4019d3 6841 4019ba 6840->6841 6842 4019c3 RtlLeaveCriticalSection 6841->6842 6843 4019cd 6841->6843 6842->6843 5403 407fd4 5404 407fe6 5403->5404 5405 407fed 5403->5405 5414 407f10 5404->5414 5407 408021 5405->5407 5408 408015 5405->5408 5409 408017 5405->5409 5410 40804e 5407->5410 5412 407d7c 33 API calls 5407->5412 5428 407e2c 5408->5428 5425 407d7c 5409->5425 5412->5410 5415 407f25 5414->5415 5416 407d7c 33 API calls 5415->5416 5417 407f34 5415->5417 5416->5417 5418 407f6e 5417->5418 5419 407d7c 33 API calls 5417->5419 5420 407f82 5418->5420 5421 407d7c 33 API calls 5418->5421 5419->5418 5424 407fae 5420->5424 5435 407eb8 5420->5435 5421->5420 5424->5405 5438 4058c4 5425->5438 5427 407d9e 5427->5407 5429 405194 33 API calls 5428->5429 5430 407e57 5429->5430 5446 407de4 5430->5446 5432 407e5f 5433 403198 4 API calls 5432->5433 5434 407e74 5433->5434 5434->5407 5436 407ec7 VirtualFree 5435->5436 5437 407ed9 VirtualAlloc 5435->5437 5436->5437 5437->5424 5440 4058d0 5438->5440 5439 405194 33 API calls 5441 4058fd 5439->5441 5440->5439 5442 4031e8 18 API calls 5441->5442 5443 405908 5442->5443 5444 403198 4 API calls 5443->5444 5445 40591d 5444->5445 5445->5427 5447 4058c4 33 API calls 5446->5447 5448 407e06 5447->5448 5448->5432 6483 405ad4 6484 405ae4 6483->6484 6485 405adc 6483->6485 6486 405ae2 6485->6486 6487 405aeb 6485->6487 6490 405a4c 6486->6490 6488 405940 19 API calls 6487->6488 6488->6484 6491 405a54 6490->6491 6492 405a6e 6491->6492 6493 403154 4 API calls 6491->6493 6494 405a73 6492->6494 6495 405a8a 6492->6495 6493->6491 6496 405940 19 API calls 6494->6496 6497 403154 4 API calls 6495->6497 6498 405a86 6496->6498 6499 405a8f 6497->6499 6501 403154 4 API calls 6498->6501 6500 4059b0 33 API calls 6499->6500 6500->6498 6502 405ab8 6501->6502 6503 403154 4 API calls 6502->6503 6504 405ac6 6503->6504 6504->6484 5916 40a9de 5917 40aa03 5916->5917 5918 407918 InterlockedExchange 5917->5918 5919 40aa2d 5918->5919 5920 40aa3d 5919->5920 5921 409ae8 18 API calls 5919->5921 5926 4076ac SetEndOfFile 5920->5926 5921->5920 5923 40aa59 5924 4025ac 4 API calls 5923->5924 5925 40aa90 5924->5925 5927 4076c3 5926->5927 5928 4076bc 5926->5928 5927->5923 5929 40748c 35 API calls 5928->5929 5929->5927 6847 402be9 RaiseException 6848 402c04 6847->6848 6515 402af2 6516 402afe 6515->6516 6519 402ed0 6516->6519 6520 403154 4 API calls 6519->6520 6521 402ee0 6520->6521 6522 402b03 6521->6522 6524 402b0c 6521->6524 6525 402b25 6524->6525 6526 402b15 RaiseException 6524->6526 6525->6522 6526->6525 5454 40a5f8 5497 4030dc 5454->5497 5456 40a60e 5500 4042e8 5456->5500 5458 40a613 5503 40457c GetModuleHandleA GetProcAddress 5458->5503 5462 40a61d 5511 4065c8 5462->5511 5464 40a622 5520 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5464->5520 5471 40a665 5542 406c2c 5471->5542 5475 4031e8 18 API calls 5476 40a683 5475->5476 5556 4074e0 5476->5556 5482 407918 InterlockedExchange 5484 40a6d2 5482->5484 5483 40a710 5576 4074a0 5483->5576 5484->5483 5613 409ae8 5484->5613 5486 40a751 5580 407a28 5486->5580 5487 40a736 5487->5486 5488 409ae8 18 API calls 5487->5488 5488->5486 5490 40a776 5590 408b08 5490->5590 5494 40a7bc 5495 408b08 35 API calls 5494->5495 5496 40a7f5 5494->5496 5495->5494 5623 403094 5497->5623 5499 4030e1 GetModuleHandleA GetCommandLineA 5499->5456 5501 403154 4 API calls 5500->5501 5502 404323 5500->5502 5501->5502 5502->5458 5504 404598 5503->5504 5505 40459f GetProcAddress 5503->5505 5504->5505 5506 4045b5 GetProcAddress 5505->5506 5507 4045ae 5505->5507 5508 4045c4 SetProcessDEPPolicy 5506->5508 5509 4045c8 5506->5509 5507->5506 5508->5509 5510 404624 6FCB1CD0 5509->5510 5510->5462 5624 405ca8 5511->5624 5521 4090f7 5520->5521 5708 406fa0 SetErrorMode 5521->5708 5524 407284 19 API calls 5525 409127 5524->5525 5526 403198 4 API calls 5525->5526 5527 40913c 5526->5527 5528 409b78 GetSystemInfo VirtualQuery 5527->5528 5529 409ba2 5528->5529 5530 409c2c 5528->5530 5529->5530 5531 409c0d VirtualQuery 5529->5531 5532 409bcc VirtualProtect 5529->5532 5533 409bfb VirtualProtect 5529->5533 5534 409768 5530->5534 5531->5529 5531->5530 5532->5529 5533->5531 5714 406bd0 GetCommandLineA 5534->5714 5536 409850 5537 4031b8 4 API calls 5536->5537 5539 40986a 5537->5539 5538 406c2c 20 API calls 5540 409785 5538->5540 5539->5471 5606 409c88 5539->5606 5540->5536 5540->5538 5541 403454 18 API calls 5540->5541 5541->5540 5543 406c53 GetModuleFileNameA 5542->5543 5544 406c77 GetCommandLineA 5542->5544 5545 403278 18 API calls 5543->5545 5552 406c7c 5544->5552 5546 406c75 5545->5546 5550 406ca4 5546->5550 5547 406c81 5548 403198 4 API calls 5547->5548 5551 406c89 5548->5551 5549 406af0 18 API calls 5549->5552 5553 403198 4 API calls 5550->5553 5554 40322c 4 API calls 5551->5554 5552->5547 5552->5549 5552->5551 5555 406cb9 5553->5555 5554->5550 5555->5475 5557 4074ea 5556->5557 5721 407576 5557->5721 5724 407578 5557->5724 5558 407516 5559 40752a 5558->5559 5560 40748c 35 API calls 5558->5560 5563 409c34 FindResourceA 5559->5563 5560->5559 5564 409c49 5563->5564 5565 409c4e SizeofResource 5563->5565 5566 409ae8 18 API calls 5564->5566 5567 409c60 LoadResource 5565->5567 5568 409c5b 5565->5568 5566->5565 5570 409c73 LockResource 5567->5570 5571 409c6e 5567->5571 5569 409ae8 18 API calls 5568->5569 5569->5567 5573 409c84 5570->5573 5574 409c7f 5570->5574 5572 409ae8 18 API calls 5571->5572 5572->5570 5573->5482 5573->5484 5575 409ae8 18 API calls 5574->5575 5575->5573 5577 4074b4 5576->5577 5578 4074c4 5577->5578 5579 4073ec 34 API calls 5577->5579 5578->5487 5579->5578 5581 407a35 5580->5581 5582 405890 18 API calls 5581->5582 5583 407a89 5581->5583 5582->5583 5584 407918 InterlockedExchange 5583->5584 5585 407a9b 5584->5585 5586 405890 18 API calls 5585->5586 5587 407ab1 5585->5587 5586->5587 5588 405890 18 API calls 5587->5588 5589 407af4 5587->5589 5588->5589 5589->5490 5592 408b39 5590->5592 5597 408b82 5590->5597 5591 408bcd 5727 407cb8 5591->5727 5595 4034f0 18 API calls 5592->5595 5592->5597 5600 403420 18 API calls 5592->5600 5601 4031e8 18 API calls 5592->5601 5605 407cb8 35 API calls 5592->5605 5594 407cb8 35 API calls 5594->5597 5595->5592 5596 408be4 5599 4031b8 4 API calls 5596->5599 5597->5591 5597->5594 5598 4034f0 18 API calls 5597->5598 5603 403420 18 API calls 5597->5603 5604 4031e8 18 API calls 5597->5604 5598->5597 5602 408bfe 5599->5602 5600->5592 5601->5592 5620 404c20 5602->5620 5603->5597 5604->5597 5605->5592 5607 40322c 4 API calls 5606->5607 5608 409cab 5607->5608 5609 409cba MessageBoxA 5608->5609 5610 409ccf 5609->5610 5611 403198 4 API calls 5610->5611 5612 409cd7 5611->5612 5612->5471 5614 409af1 5613->5614 5615 409b09 5613->5615 5617 405890 18 API calls 5614->5617 5616 405890 18 API calls 5615->5616 5618 409b1a 5616->5618 5619 409b03 5617->5619 5618->5483 5619->5483 5749 402594 5620->5749 5622 404c2b 5622->5494 5623->5499 5625 405940 19 API calls 5624->5625 5626 405cb9 5625->5626 5627 405280 GetSystemDefaultLCID 5626->5627 5631 4052b6 5627->5631 5628 404cdc 19 API calls 5628->5631 5629 40520c 19 API calls 5629->5631 5630 4031e8 18 API calls 5630->5631 5631->5628 5631->5629 5631->5630 5635 405318 5631->5635 5632 404cdc 19 API calls 5632->5635 5633 40520c 19 API calls 5633->5635 5634 4031e8 18 API calls 5634->5635 5635->5632 5635->5633 5635->5634 5636 40539b 5635->5636 5637 4031b8 4 API calls 5636->5637 5638 4053b5 5637->5638 5639 4053c4 GetSystemDefaultLCID 5638->5639 5696 40520c GetLocaleInfoA 5639->5696 5642 4031e8 18 API calls 5643 405404 5642->5643 5644 40520c 19 API calls 5643->5644 5645 405419 5644->5645 5646 40520c 19 API calls 5645->5646 5647 40543d 5646->5647 5702 405258 GetLocaleInfoA 5647->5702 5650 405258 GetLocaleInfoA 5651 40546d 5650->5651 5652 40520c 19 API calls 5651->5652 5653 405487 5652->5653 5654 405258 GetLocaleInfoA 5653->5654 5655 4054a4 5654->5655 5656 40520c 19 API calls 5655->5656 5657 4054be 5656->5657 5658 4031e8 18 API calls 5657->5658 5659 4054cb 5658->5659 5660 40520c 19 API calls 5659->5660 5661 4054e0 5660->5661 5662 4031e8 18 API calls 5661->5662 5663 4054ed 5662->5663 5664 405258 GetLocaleInfoA 5663->5664 5665 4054fb 5664->5665 5666 40520c 19 API calls 5665->5666 5667 405515 5666->5667 5668 4031e8 18 API calls 5667->5668 5669 405522 5668->5669 5670 40520c 19 API calls 5669->5670 5671 405537 5670->5671 5672 4031e8 18 API calls 5671->5672 5673 405544 5672->5673 5674 40520c 19 API calls 5673->5674 5675 405559 5674->5675 5676 405576 5675->5676 5677 405567 5675->5677 5679 40322c 4 API calls 5676->5679 5704 40322c 5677->5704 5680 405574 5679->5680 5681 40520c 19 API calls 5680->5681 5682 405598 5681->5682 5683 4055b5 5682->5683 5684 4055a6 5682->5684 5686 403198 4 API calls 5683->5686 5685 40322c 4 API calls 5684->5685 5687 4055b3 5685->5687 5686->5687 5688 4033b4 18 API calls 5687->5688 5689 4055d7 5688->5689 5690 4033b4 18 API calls 5689->5690 5691 4055f1 5690->5691 5692 4031b8 4 API calls 5691->5692 5693 40560b 5692->5693 5694 405cf4 GetVersionExA 5693->5694 5695 405d0b 5694->5695 5695->5464 5697 405233 5696->5697 5698 405245 5696->5698 5699 403278 18 API calls 5697->5699 5700 40322c 4 API calls 5698->5700 5701 405243 5699->5701 5700->5701 5701->5642 5703 405274 5702->5703 5703->5650 5706 403230 5704->5706 5705 403252 5705->5680 5706->5705 5707 4025ac 4 API calls 5706->5707 5707->5705 5712 403414 5708->5712 5711 406fee 5711->5524 5713 403418 LoadLibraryA 5712->5713 5713->5711 5715 406af0 18 API calls 5714->5715 5716 406bf3 5715->5716 5717 406af0 18 API calls 5716->5717 5718 406c05 5716->5718 5717->5716 5719 403198 4 API calls 5718->5719 5720 406c1a 5719->5720 5720->5540 5722 407578 5721->5722 5723 4075b7 CreateFileA 5722->5723 5723->5558 5725 403414 5724->5725 5726 4075b7 CreateFileA 5725->5726 5726->5558 5728 407cd3 5727->5728 5732 407cc8 5727->5732 5733 407c5c 5728->5733 5731 405890 18 API calls 5731->5732 5732->5596 5734 407c70 5733->5734 5735 407caf 5733->5735 5734->5735 5737 407bac 5734->5737 5735->5731 5735->5732 5738 407bb7 5737->5738 5739 407bc8 5737->5739 5740 405890 18 API calls 5738->5740 5741 4074a0 34 API calls 5739->5741 5740->5739 5742 407bdc 5741->5742 5743 4074a0 34 API calls 5742->5743 5744 407bfd 5743->5744 5745 407918 InterlockedExchange 5744->5745 5746 407c12 5745->5746 5747 407c28 5746->5747 5748 405890 18 API calls 5746->5748 5747->5734 5748->5747 5750 402598 5749->5750 5752 4025a2 5749->5752 5755 401fd4 5750->5755 5751 40259e 5751->5752 5753 403154 4 API calls 5751->5753 5752->5622 5752->5752 5753->5752 5756 401fe8 5755->5756 5757 401fed 5755->5757 5766 401918 RtlInitializeCriticalSection 5756->5766 5759 402012 RtlEnterCriticalSection 5757->5759 5760 40201c 5757->5760 5763 401ff1 5757->5763 5759->5760 5760->5763 5773 401ee0 5760->5773 5763->5751 5764 402147 5764->5751 5765 40213d RtlLeaveCriticalSection 5765->5764 5767 401946 5766->5767 5768 40193c RtlEnterCriticalSection 5766->5768 5769 401964 LocalAlloc 5767->5769 5768->5767 5770 40197e 5769->5770 5771 4019c3 RtlLeaveCriticalSection 5770->5771 5772 4019cd 5770->5772 5771->5772 5772->5757 5776 401ef0 5773->5776 5774 401f1c 5778 401f40 5774->5778 5784 401d00 5774->5784 5776->5774 5776->5778 5779 401e58 5776->5779 5778->5764 5778->5765 5788 4016d8 5779->5788 5782 401e75 5782->5776 5785 401d4e 5784->5785 5786 401d1e 5784->5786 5785->5786 5857 401c68 5785->5857 5786->5778 5791 4016f4 5788->5791 5790 4016fe 5813 4015c4 5790->5813 5791->5790 5795 40174f 5791->5795 5797 40175b 5791->5797 5805 401430 5791->5805 5817 40132c 5791->5817 5794 40170a 5794->5797 5821 40150c 5795->5821 5797->5782 5798 401dcc 5797->5798 5831 401d80 5798->5831 5801 40132c LocalAlloc 5802 401df0 5801->5802 5803 401df8 5802->5803 5835 401b44 5802->5835 5803->5782 5806 40143f VirtualAlloc 5805->5806 5808 40146c 5806->5808 5809 40148f 5806->5809 5825 4012e4 5808->5825 5809->5791 5812 40147c VirtualFree 5812->5809 5815 40160a 5813->5815 5814 40163a 5814->5794 5815->5814 5816 401626 VirtualAlloc 5815->5816 5816->5814 5816->5815 5818 401348 5817->5818 5819 4012e4 LocalAlloc 5818->5819 5820 40138f 5819->5820 5820->5791 5824 40153b 5821->5824 5822 401594 5822->5797 5823 401568 VirtualFree 5823->5824 5824->5822 5824->5823 5828 40128c 5825->5828 5829 401298 LocalAlloc 5828->5829 5830 4012aa 5828->5830 5829->5830 5830->5809 5830->5812 5832 401d92 5831->5832 5833 401d89 5831->5833 5832->5801 5833->5832 5840 401b74 5833->5840 5836 401b61 5835->5836 5837 401b52 5835->5837 5836->5803 5838 401d00 9 API calls 5837->5838 5839 401b5f 5838->5839 5839->5803 5843 40215c 5840->5843 5842 401b95 5842->5832 5844 40217a 5843->5844 5845 402175 5843->5845 5847 4021ab RtlEnterCriticalSection 5844->5847 5849 4021b5 5844->5849 5851 40217e 5844->5851 5846 401918 4 API calls 5845->5846 5846->5844 5847->5849 5848 4021c1 5852 4022e3 RtlLeaveCriticalSection 5848->5852 5853 4022ed 5848->5853 5849->5848 5850 402244 5849->5850 5855 402270 5849->5855 5850->5851 5854 401d80 7 API calls 5850->5854 5851->5842 5852->5853 5853->5842 5854->5851 5855->5848 5856 401d00 7 API calls 5855->5856 5856->5848 5858 401c7a 5857->5858 5859 401c9d 5858->5859 5860 401caf 5858->5860 5870 40188c 5859->5870 5862 40188c 3 API calls 5860->5862 5863 401cad 5862->5863 5864 401b44 9 API calls 5863->5864 5869 401cc5 5863->5869 5865 401cd4 5864->5865 5866 401cee 5865->5866 5880 401b98 5865->5880 5885 4013a0 5866->5885 5869->5786 5871 4018b2 5870->5871 5879 40190b 5870->5879 5889 401658 5871->5889 5874 40132c LocalAlloc 5875 4018cf 5874->5875 5876 4018e6 5875->5876 5877 40150c VirtualFree 5875->5877 5878 4013a0 LocalAlloc 5876->5878 5876->5879 5877->5876 5878->5879 5879->5863 5881 401b9d 5880->5881 5882 401bab 5880->5882 5883 401b74 9 API calls 5881->5883 5882->5866 5884 401baa 5883->5884 5884->5866 5886 4013ab 5885->5886 5887 4012e4 LocalAlloc 5886->5887 5888 4013c6 5886->5888 5887->5888 5888->5869 5891 40168f 5889->5891 5890 4016cf 5890->5874 5891->5890 5892 4016a9 VirtualFree 5891->5892 5892->5891 6849 402dfa 6850 402e26 6849->6850 6851 402e0d 6849->6851 6853 402ba4 6851->6853 6854 402bc9 6853->6854 6855 402bad 6853->6855 6854->6850 6856 402bb5 RaiseException 6855->6856 6856->6854 6857 4075fa GetFileSize 6858 407626 6857->6858 6859 407616 GetLastError 6857->6859 6859->6858 6860 40761f 6859->6860 6861 40748c 35 API calls 6860->6861 6861->6858 6862 406ffb 6863 407008 SetErrorMode 6862->6863 6531 403a80 CloseHandle 6532 403a90 6531->6532 6533 403a91 GetLastError 6531->6533 6534 404283 6535 4042c3 6534->6535 6536 403154 4 API calls 6535->6536 6537 404323 6536->6537 6864 404185 6865 4041ff 6864->6865 6866 403154 4 API calls 6865->6866 6867 4041cc 6865->6867 6868 404323 6866->6868 6538 403e87 6539 403e4c 6538->6539 6540 403e62 6539->6540 6541 403e7b 6539->6541 6542 403e67 6539->6542 6547 403cc8 6540->6547 6543 402674 4 API calls 6541->6543 6545 403e78 6542->6545 6551 402674 6542->6551 6543->6545 6548 403cd6 6547->6548 6549 402674 4 API calls 6548->6549 6550 403ceb 6548->6550 6549->6550 6550->6542 6552 403154 4 API calls 6551->6552 6553 40267a 6552->6553 6553->6545 6562 407e90 6563 407eb8 VirtualFree 6562->6563 6564 407e9d 6563->6564 6567 403e95 6568 403e4c 6567->6568 6569 403e62 6568->6569 6570 403e7b 6568->6570 6571 403e67 6568->6571 6573 403cc8 4 API calls 6569->6573 6572 402674 4 API calls 6570->6572 6574 403e78 6571->6574 6575 402674 4 API calls 6571->6575 6572->6574 6573->6571 6575->6574 6576 40ac97 6585 4096fc 6576->6585 6579 402f24 5 API calls 6580 40aca1 6579->6580 6581 403198 4 API calls 6580->6581 6582 40acc0 6581->6582 6583 403198 4 API calls 6582->6583 6584 40acc8 6583->6584 6594 4056ac 6585->6594 6587 409745 6591 403198 4 API calls 6587->6591 6588 409717 6588->6587 6600 40720c 6588->6600 6590 409735 6593 40973d MessageBoxA 6590->6593 6592 40975a 6591->6592 6592->6579 6592->6580 6593->6587 6595 403154 4 API calls 6594->6595 6596 4056b1 6595->6596 6597 4056c9 6596->6597 6598 403154 4 API calls 6596->6598 6597->6588 6599 4056bf 6598->6599 6599->6588 6601 4056ac 4 API calls 6600->6601 6602 40721b 6601->6602 6603 407221 6602->6603 6604 40722f 6602->6604 6605 40322c 4 API calls 6603->6605 6607 40724b 6604->6607 6608 40723f 6604->6608 6606 40722d 6605->6606 6606->6590 6618 4032b8 6607->6618 6611 4071d0 6608->6611 6612 40322c 4 API calls 6611->6612 6613 4071df 6612->6613 6614 4071fc 6613->6614 6615 406950 CharPrevA 6613->6615 6614->6606 6616 4071eb 6615->6616 6616->6614 6617 4032fc 18 API calls 6616->6617 6617->6614 6619 403278 18 API calls 6618->6619 6620 4032c2 6619->6620 6620->6606 6621 403a97 6622 403aac 6621->6622 6623 403bbc GetStdHandle 6622->6623 6624 403b0e CreateFileA 6622->6624 6625 403ab2 6622->6625 6626 403c17 GetLastError 6623->6626 6638 403bba 6623->6638 6624->6626 6627 403b2c 6624->6627 6626->6625 6629 403b3b GetFileSize 6627->6629 6627->6638 6629->6626 6631 403b4e SetFilePointer 6629->6631 6630 403be7 GetFileType 6630->6625 6633 403c02 CloseHandle 6630->6633 6631->6626 6634 403b6a ReadFile 6631->6634 6633->6625 6634->6626 6635 403b8c 6634->6635 6636 403b9f SetFilePointer 6635->6636 6635->6638 6636->6626 6637 403bb0 SetEndOfFile 6636->6637 6637->6626 6637->6638 6638->6625 6638->6630 6643 40aaa2 6644 40aad2 6643->6644 6645 40aadc CreateWindowExA SetWindowLongA 6644->6645 6646 405194 33 API calls 6645->6646 6647 40ab5f 6646->6647 6648 4032fc 18 API calls 6647->6648 6649 40ab6d 6648->6649 6650 4032fc 18 API calls 6649->6650 6651 40ab7a 6650->6651 6652 406b7c 19 API calls 6651->6652 6653 40ab86 6652->6653 6654 4032fc 18 API calls 6653->6654 6655 40ab8f 6654->6655 6656 4099ec 43 API calls 6655->6656 6657 40aba1 6656->6657 6658 4098cc 19 API calls 6657->6658 6659 40abb4 6657->6659 6658->6659 6660 40abed 6659->6660 6661 4094d8 9 API calls 6659->6661 6662 40ac06 6660->6662 6665 40ac00 RemoveDirectoryA 6660->6665 6661->6660 6663 40ac1a 6662->6663 6664 40ac0f DestroyWindow 6662->6664 6666 40ac42 6663->6666 6667 40357c 4 API calls 6663->6667 6664->6663 6665->6662 6668 40ac38 6667->6668 6669 4025ac 4 API calls 6668->6669 6669->6666 6881 405ba2 6883 405ba4 6881->6883 6882 405be0 6886 405940 19 API calls 6882->6886 6883->6882 6884 405bf7 6883->6884 6885 405bda 6883->6885 6889 404cdc 19 API calls 6884->6889 6885->6882 6887 405c4c 6885->6887 6894 405bf3 6886->6894 6888 4059b0 33 API calls 6887->6888 6888->6894 6891 405c20 6889->6891 6890 403198 4 API calls 6892 405c86 6890->6892 6893 4059b0 33 API calls 6891->6893 6893->6894 6894->6890 6895 408da4 6896 408dc8 6895->6896 6897 408c80 18 API calls 6896->6897 6898 408dd1 6897->6898 6670 402caa 6671 403154 4 API calls 6670->6671 6672 402caf 6671->6672 6913 4011aa 6914 4011ac GetStdHandle 6913->6914 6673 4028ac 6674 402594 18 API calls 6673->6674 6675 4028b6 6674->6675 4985 40aab4 4986 40aab8 SetLastError 4985->4986 5017 409648 GetLastError 4986->5017 4989 40aad2 4991 40aadc CreateWindowExA SetWindowLongA 4989->4991 5030 405194 4991->5030 4995 40ab6d 4996 4032fc 18 API calls 4995->4996 4997 40ab7a 4996->4997 5047 406b7c GetCommandLineA 4997->5047 5000 4032fc 18 API calls 5001 40ab8f 5000->5001 5052 4099ec 5001->5052 5003 40aba1 5005 40abb4 5003->5005 5073 4098cc 5003->5073 5006 40abd4 5005->5006 5007 40abed 5005->5007 5079 4094d8 5006->5079 5009 40ac06 5007->5009 5012 40ac00 RemoveDirectoryA 5007->5012 5010 40ac1a 5009->5010 5011 40ac0f DestroyWindow 5009->5011 5013 40ac42 5010->5013 5087 40357c 5010->5087 5011->5010 5012->5009 5015 40ac38 5100 4025ac 5015->5100 5104 404c94 5017->5104 5025 4096c3 5119 4031b8 5025->5119 5031 4051a8 33 API calls 5030->5031 5032 4051a3 5031->5032 5033 4032fc 5032->5033 5034 403300 5033->5034 5035 40333f 5033->5035 5036 4031e8 5034->5036 5037 40330a 5034->5037 5035->4995 5044 403254 18 API calls 5036->5044 5045 4031fc 5036->5045 5038 403334 5037->5038 5039 40331d 5037->5039 5041 4034f0 18 API calls 5038->5041 5280 4034f0 5039->5280 5043 403322 5041->5043 5042 403228 5042->4995 5043->4995 5044->5045 5045->5042 5046 4025ac 4 API calls 5045->5046 5046->5042 5306 406af0 5047->5306 5049 406ba1 5050 403198 4 API calls 5049->5050 5051 406bbf 5050->5051 5051->5000 5320 4033b4 5052->5320 5054 409a27 5055 409a59 CreateProcessA 5054->5055 5056 409a65 5055->5056 5057 409a6c CloseHandle 5055->5057 5058 409648 35 API calls 5056->5058 5059 409a75 5057->5059 5058->5057 5060 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5059->5060 5061 409a7a MsgWaitForMultipleObjects 5060->5061 5061->5059 5062 409a91 5061->5062 5063 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5062->5063 5064 409a96 GetExitCodeProcess CloseHandle 5063->5064 5065 409ab6 5064->5065 5066 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5065->5066 5067 409abe 5066->5067 5067->5003 5068 402f24 5069 403154 4 API calls 5068->5069 5070 402f29 5069->5070 5326 402bcc 5070->5326 5072 402f51 5072->5072 5074 40990e 5073->5074 5075 4098d4 5073->5075 5074->5005 5075->5074 5076 403420 18 API calls 5075->5076 5077 409908 5076->5077 5329 408e80 5077->5329 5080 409532 5079->5080 5084 4094eb 5079->5084 5080->5007 5081 4094f3 Sleep 5081->5084 5082 409503 Sleep 5082->5084 5084->5080 5084->5081 5084->5082 5085 40951a GetLastError 5084->5085 5352 408fbc 5084->5352 5085->5080 5086 409524 GetLastError 5085->5086 5086->5080 5086->5084 5088 403591 5087->5088 5089 4035a0 5087->5089 5092 4035d0 5088->5092 5093 40359b 5088->5093 5097 4035b6 5088->5097 5090 4035b1 5089->5090 5091 4035b8 5089->5091 5094 403198 4 API calls 5090->5094 5095 4031b8 4 API calls 5091->5095 5092->5097 5098 40357c 4 API calls 5092->5098 5093->5089 5096 4035ec 5093->5096 5094->5097 5095->5097 5096->5097 5369 403554 5096->5369 5097->5015 5098->5092 5101 4025b0 5100->5101 5102 4025ba 5100->5102 5101->5102 5103 403154 4 API calls 5101->5103 5102->5013 5103->5102 5127 4051a8 5104->5127 5107 407284 FormatMessageA 5108 4072aa 5107->5108 5109 403278 18 API calls 5108->5109 5110 4072c7 5109->5110 5111 408da8 5110->5111 5112 408dc8 5111->5112 5270 408c80 5112->5270 5115 405890 5116 405897 5115->5116 5117 4031e8 18 API calls 5116->5117 5118 4058af 5117->5118 5118->5025 5121 4031be 5119->5121 5120 4031e3 5123 403198 5120->5123 5121->5120 5122 4025ac 4 API calls 5121->5122 5122->5121 5124 4031b7 5123->5124 5125 40319e 5123->5125 5124->4989 5124->5068 5125->5124 5126 4025ac 4 API calls 5125->5126 5126->5124 5128 4051c5 5127->5128 5135 404e58 5128->5135 5131 4051f1 5140 403278 5131->5140 5137 404e73 5135->5137 5136 404e85 5136->5131 5145 404be4 5136->5145 5137->5136 5148 404f7a 5137->5148 5155 404e4c 5137->5155 5141 403254 18 API calls 5140->5141 5142 403288 5141->5142 5143 403198 4 API calls 5142->5143 5144 4032a0 5143->5144 5144->5107 5262 405940 5145->5262 5147 404bf5 5147->5131 5149 404f8b 5148->5149 5154 404fd9 5148->5154 5152 40505f 5149->5152 5149->5154 5151 404ff7 5151->5137 5152->5151 5162 404e38 5152->5162 5154->5151 5158 404df4 5154->5158 5156 403198 4 API calls 5155->5156 5157 404e56 5156->5157 5157->5137 5159 404e02 5158->5159 5165 404bfc 5159->5165 5161 404e30 5161->5154 5192 4039a4 5162->5192 5168 4059b0 5165->5168 5167 404c15 5167->5161 5169 4059be 5168->5169 5178 404cdc LoadStringA 5169->5178 5172 405194 33 API calls 5173 4059f6 5172->5173 5181 4031e8 5173->5181 5176 4031b8 4 API calls 5177 405a1b 5176->5177 5177->5167 5179 403278 18 API calls 5178->5179 5180 404d09 5179->5180 5180->5172 5182 4031ec 5181->5182 5185 4031fc 5181->5185 5182->5185 5187 403254 5182->5187 5183 403228 5183->5176 5185->5183 5186 4025ac 4 API calls 5185->5186 5186->5183 5188 403274 5187->5188 5189 403258 5187->5189 5188->5185 5190 402594 18 API calls 5189->5190 5191 403261 5190->5191 5191->5185 5193 4039ab 5192->5193 5198 4038b4 5193->5198 5195 4039cb 5196 403198 4 API calls 5195->5196 5197 4039d2 5196->5197 5197->5151 5199 4038d5 5198->5199 5200 4038c8 5198->5200 5202 403934 5199->5202 5203 4038db 5199->5203 5226 403780 5200->5226 5204 403993 5202->5204 5205 40393b 5202->5205 5206 4038e1 5203->5206 5207 4038ee 5203->5207 5210 4037f4 3 API calls 5204->5210 5211 403941 5205->5211 5212 40394b 5205->5212 5233 403894 5206->5233 5209 403894 6 API calls 5207->5209 5215 4038fc 5209->5215 5213 4038d0 5210->5213 5248 403864 5211->5248 5214 4037f4 3 API calls 5212->5214 5213->5195 5217 40395d 5214->5217 5238 4037f4 5215->5238 5219 403864 23 API calls 5217->5219 5221 403976 5219->5221 5220 403917 5244 40374c 5220->5244 5223 40374c VariantClear 5221->5223 5225 40398b 5223->5225 5224 40392c 5224->5195 5225->5195 5227 4037f0 5226->5227 5228 403744 5226->5228 5227->5213 5228->5226 5229 4037ab 5228->5229 5230 403793 VariantClear 5228->5230 5231 4037dc VariantCopyInd 5228->5231 5232 403198 4 API calls 5228->5232 5229->5213 5230->5228 5231->5227 5231->5228 5232->5228 5253 4036b8 5233->5253 5236 40374c VariantClear 5237 4038a9 5236->5237 5237->5213 5239 403845 VariantChangeTypeEx 5238->5239 5240 40380a VariantChangeTypeEx 5238->5240 5242 403832 5239->5242 5241 403826 5240->5241 5243 40374c VariantClear 5241->5243 5242->5220 5243->5242 5245 403766 5244->5245 5246 403759 5244->5246 5245->5224 5246->5245 5247 403779 VariantClear 5246->5247 5247->5224 5259 40369c SysStringLen 5248->5259 5251 40374c VariantClear 5252 403882 5251->5252 5252->5213 5254 4036cb 5253->5254 5255 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5254->5255 5256 4036db 5254->5256 5257 40372e 5255->5257 5258 4036ed MultiByteToWideChar SysAllocStringLen 5256->5258 5257->5236 5258->5257 5260 403610 21 API calls 5259->5260 5261 4036b3 5260->5261 5261->5251 5263 40594c 5262->5263 5264 404cdc 19 API calls 5263->5264 5265 405972 5264->5265 5266 4031e8 18 API calls 5265->5266 5267 40597d 5266->5267 5268 403198 4 API calls 5267->5268 5269 405992 5268->5269 5269->5147 5271 403198 4 API calls 5270->5271 5273 408cb1 5270->5273 5271->5273 5272 4031b8 4 API calls 5274 408d69 5272->5274 5275 408cc8 5273->5275 5276 403278 18 API calls 5273->5276 5278 4032fc 18 API calls 5273->5278 5279 408cdc 5273->5279 5274->5115 5277 4032fc 18 API calls 5275->5277 5276->5273 5277->5279 5278->5273 5279->5272 5281 4034fd 5280->5281 5288 40352d 5280->5288 5282 403526 5281->5282 5284 403509 5281->5284 5285 403254 18 API calls 5282->5285 5283 403198 4 API calls 5286 403517 5283->5286 5289 4025c4 5284->5289 5285->5288 5286->5043 5288->5283 5290 4025ca 5289->5290 5291 4025dc 5290->5291 5293 403154 5290->5293 5291->5286 5291->5291 5294 403164 5293->5294 5295 40318c TlsGetValue 5293->5295 5294->5291 5296 403196 5295->5296 5297 40316f 5295->5297 5296->5291 5301 40310c 5297->5301 5299 403174 TlsGetValue 5300 403184 5299->5300 5300->5291 5302 403120 LocalAlloc 5301->5302 5303 403116 5301->5303 5304 403132 5302->5304 5305 40313e TlsSetValue 5302->5305 5303->5302 5304->5299 5305->5304 5307 406b1c 5306->5307 5308 403278 18 API calls 5307->5308 5309 406b29 5308->5309 5316 403420 5309->5316 5311 406b31 5312 4031e8 18 API calls 5311->5312 5313 406b49 5312->5313 5314 403198 4 API calls 5313->5314 5315 406b6b 5314->5315 5315->5049 5317 403426 5316->5317 5319 403437 5316->5319 5318 403254 18 API calls 5317->5318 5317->5319 5318->5319 5319->5311 5321 4033bc 5320->5321 5322 403254 18 API calls 5321->5322 5323 4033cf 5322->5323 5324 4031e8 18 API calls 5323->5324 5325 4033f7 5324->5325 5327 402bd5 RaiseException 5326->5327 5328 402be6 5326->5328 5327->5328 5328->5072 5330 408e8e 5329->5330 5332 408ea6 5330->5332 5342 408e18 5330->5342 5333 408e18 18 API calls 5332->5333 5334 408eca 5332->5334 5333->5334 5345 407918 5334->5345 5336 408ee5 5337 408e18 18 API calls 5336->5337 5338 408ef8 5336->5338 5337->5338 5339 408e18 18 API calls 5338->5339 5340 403278 18 API calls 5338->5340 5341 408f27 5338->5341 5339->5338 5340->5338 5341->5074 5343 405890 18 API calls 5342->5343 5344 408e29 5343->5344 5344->5332 5348 4078c4 5345->5348 5349 4078d6 5348->5349 5350 4078e7 5348->5350 5351 4078db InterlockedExchange 5349->5351 5350->5336 5351->5350 5360 408f70 5352->5360 5354 408fd6 5354->5084 5355 408fd2 5355->5354 5356 408ff2 DeleteFileA GetLastError 5355->5356 5357 409010 5356->5357 5366 408fac 5357->5366 5361 408f7a 5360->5361 5362 408f7e 5360->5362 5361->5355 5363 408fa0 SetLastError 5362->5363 5364 408f87 Wow64DisableWow64FsRedirection 5362->5364 5365 408f9b 5363->5365 5364->5365 5365->5355 5367 408fb1 Wow64RevertWow64FsRedirection 5366->5367 5368 408fbb 5366->5368 5367->5368 5368->5084 5370 403566 5369->5370 5372 403578 5370->5372 5373 403604 5370->5373 5372->5096 5374 40357c 5373->5374 5377 40359b 5374->5377 5380 4035d0 5374->5380 5381 4035a0 5374->5381 5383 4035b6 5374->5383 5375 4035b1 5378 403198 4 API calls 5375->5378 5376 4035b8 5379 4031b8 4 API calls 5376->5379 5377->5381 5382 4035ec 5377->5382 5378->5383 5379->5383 5380->5383 5384 40357c 4 API calls 5380->5384 5381->5375 5381->5376 5382->5383 5385 403554 4 API calls 5382->5385 5383->5370 5384->5380 5385->5382 6676 401ab9 6677 401a96 6676->6677 6678 401aa9 RtlDeleteCriticalSection 6677->6678 6679 401a9f RtlLeaveCriticalSection 6677->6679 6679->6678

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                • String ID:
                                                                                • API String ID: 2441996862-0
                                                                                • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModulePolicyProcess
                                                                                • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                • API String ID: 3256987805-3653653586
                                                                                • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                  • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,021E24DC), ref: 0040966C
                                                                                • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                • SetWindowLongA.USER32(00010486,000000FC,00409960), ref: 0040AB15
                                                                                • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                • DestroyWindow.USER32(00010486,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                • API String ID: 3757039580-3001827809
                                                                                • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                • API String ID: 1646373207-2130885113
                                                                                • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                • SetWindowLongA.USER32(00010486,000000FC,00409960), ref: 0040AB15
                                                                                  • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                  • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021E24DC,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                  • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021E24DC,00409AD8,00000000), ref: 00409A70
                                                                                  • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                  • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                  • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021E24DC,00409AD8), ref: 00409AA4
                                                                                • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                • DestroyWindow.USER32(00010486,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                • API String ID: 3586484885-3001827809
                                                                                • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021E24DC,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021E24DC,00409AD8,00000000), ref: 00409A70
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021E24DC,00409AD8), ref: 00409AA4
                                                                                  • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,021E24DC), ref: 0040966C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                • String ID: D
                                                                                • API String ID: 3356880605-2746444292
                                                                                • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 730355536-0
                                                                                • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: .tmp$y@
                                                                                • API String ID: 2030045667-2396523267
                                                                                • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: .tmp$y@
                                                                                • API String ID: 2030045667-2396523267
                                                                                • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: .tmp
                                                                                • API String ID: 1375471231-2986845003
                                                                                • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 360 407803-407819 353->360 362 407791-407792 353->362 354->360 358 407841-407843 355->358 356->354 361 40785b-40785c 358->361 360->361 372 40781b 360->372 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 385 407912-407917 363->385 386 4078ed-407910 363->386 382 407820-407823 364->382 383 407890-407893 364->383 368 407743 365->368 369 4077b5 365->369 366->369 373 407746-407747 368->373 374 4077b9 368->374 377 4077b6-4077b7 369->377 378 4077f7-4077f8 369->378 379 40781e-40781f 372->379 373->342 380 4077bb-4077cd 373->380 374->380 377->374 378->349 379->382 380->358 387 4077cf-4077d4 380->387 384 407898 382->384 388 407824 382->388 383->384 391 40789a 384->391 386->385 386->386 387->355 392 4077d6-4077de 387->392 390 407825 388->390 388->391 393 407896-407897 390->393 394 407826-40782d 390->394 395 40789f 391->395 392->345 404 4077e0 392->404 393->384 397 4078a1 394->397 398 40782f 394->398 395->397 402 4078a3 397->402 403 4078ac 397->403 400 407832-407833 398->400 401 4078a5-4078aa 398->401 400->355 400->379 405 4078ae-4078af 401->405 402->401 403->405 404->378 405->395 406 4078b1-4078bd 405->406 406->384 407 4078bf-4078c0 406->407
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 419 401ff1-401ff6 414->419 415->416 417 402038-40203c 416->417 418 4020cb-4020d1 416->418 420 402041-402050 417->420 421 40203e 417->421 423 4020d3-4020e0 418->423 424 40211d-40211f call 401ee0 418->424 422 40214f-402158 419->422 420->418 427 402052-402060 420->427 421->420 425 4020e2-4020ea 423->425 426 4020ef-40211b call 402f54 423->426 432 402124-40213b 424->432 425->426 426->422 430 402062-402066 427->430 431 40207c-402080 427->431 434 402068 430->434 435 40206b-40207a 430->435 437 402082 431->437 438 402085-4020a0 431->438 440 402147 432->440 441 40213d-402142 RtlLeaveCriticalSection 432->441 434->435 439 4020a2-4020c6 call 402f54 435->439 437->438 438->439 439->422 441->440
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                  • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                  • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                  • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                  • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 296031713-0
                                                                                • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLibraryLoadMode
                                                                                • String ID:
                                                                                • API String ID: 2987862817-0
                                                                                • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021E03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                APIs
                                                                                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastRead
                                                                                • String ID:
                                                                                • API String ID: 1948546556-0
                                                                                • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021E03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                  • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                  • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                • String ID:
                                                                                • API String ID: 1658689577-0
                                                                                • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021E03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID:
                                                                                • API String ID: 442123175-0
                                                                                • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FormatMessage
                                                                                • String ID:
                                                                                • API String ID: 1306739567-0
                                                                                • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                APIs
                                                                                • SetEndOfFile.KERNEL32(?,021F8000,0040AA59,00000000), ref: 004076B3
                                                                                  • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021E03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 734332943-0
                                                                                • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                APIs
                                                                                • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CharPrev
                                                                                • String ID:
                                                                                • API String ID: 122130370-0
                                                                                • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                • Instruction Fuzzy Hash:
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 107509674-3733053543
                                                                                • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                APIs
                                                                                • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: SystemTime
                                                                                • String ID:
                                                                                • API String ID: 2656138-0
                                                                                • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Version
                                                                                • String ID:
                                                                                • API String ID: 1889659487-0
                                                                                • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressCloseHandleModuleProc
                                                                                • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                • API String ID: 4190037839-2401316094
                                                                                • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                  • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                  • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale$DefaultSystem
                                                                                • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 1044490935-665933166
                                                                                • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                • LocalFree.KERNEL32(0075A578,00000000,00401AB4), ref: 00401A1B
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,0075A578,00000000,00401AB4), ref: 00401A3A
                                                                                • LocalFree.KERNEL32(0075B578,?,00000000,00008000,0075A578,00000000,00401AB4), ref: 00401A79
                                                                                • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID:
                                                                                • API String ID: 3782394904-0
                                                                                • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ExitMessageProcess
                                                                                • String ID: Error$Runtime error at 00000000$9@
                                                                                • API String ID: 1220098344-1503883590
                                                                                • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocString
                                                                                • String ID:
                                                                                • API String ID: 262959230-0
                                                                                • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CommandHandleLineModule
                                                                                • String ID: H%t$U1hd.@
                                                                                • API String ID: 2123368496-724775674
                                                                                • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: )q@
                                                                                • API String ID: 3660427363-2284170586
                                                                                • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                Strings
                                                                                • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                • Setup, xrefs: 00409CAD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                • API String ID: 2030045667-3271211647
                                                                                • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                APIs
                                                                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.3151592430.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.3151556261.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151757802.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.3151783627.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 1458359878-0
                                                                                • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                Execution Graph

                                                                                Execution Coverage:16.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:4.6%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:63
                                                                                execution_graph 49369 40cd00 49370 40cd12 49369->49370 49371 40cd0d 49369->49371 49373 406f48 CloseHandle 49371->49373 49373->49370 49374 498ba8 49432 403344 49374->49432 49376 498bb6 49435 4056a0 49376->49435 49378 498bbb 49438 40631c GetModuleHandleA GetProcAddress 49378->49438 49382 498bc5 49446 40994c 49382->49446 49713 4032fc 49432->49713 49434 403349 GetModuleHandleA GetCommandLineA 49434->49376 49437 4056db 49435->49437 49714 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49435->49714 49437->49378 49439 406338 49438->49439 49440 40633f GetProcAddress 49438->49440 49439->49440 49441 406355 GetProcAddress 49440->49441 49442 40634e 49440->49442 49443 406364 SetProcessDEPPolicy 49441->49443 49444 406368 49441->49444 49442->49441 49443->49444 49445 4063c4 6FCB1CD0 49444->49445 49445->49382 49715 409024 49446->49715 49713->49434 49714->49437 49787 408cbc 49715->49787 49718 4085dc GetSystemDefaultLCID 49722 408612 49718->49722 49719 406dec 19 API calls 49719->49722 49720 408568 19 API calls 49720->49722 49721 403450 18 API calls 49721->49722 49722->49719 49722->49720 49722->49721 49726 408674 49722->49726 49723 406dec 19 API calls 49723->49726 49724 408568 19 API calls 49724->49726 49725 403450 18 API calls 49725->49726 49726->49723 49726->49724 49726->49725 49727 4086f7 49726->49727 49863 403420 49727->49863 49730 408720 GetSystemDefaultLCID 49867 408568 GetLocaleInfoA 49730->49867 49733 403450 18 API calls 49734 408760 49733->49734 49735 408568 19 API calls 49734->49735 49736 408775 49735->49736 49737 408568 19 API calls 49736->49737 49738 408799 49737->49738 49873 4085b4 GetLocaleInfoA 49738->49873 49741 4085b4 GetLocaleInfoA 49742 4087c9 49741->49742 49743 408568 19 API calls 49742->49743 49744 4087e3 49743->49744 49745 4085b4 GetLocaleInfoA 49744->49745 49746 408800 49745->49746 49747 408568 19 API calls 49746->49747 49748 40881a 49747->49748 49749 403450 18 API calls 49748->49749 49750 408827 49749->49750 49751 408568 19 API calls 49750->49751 49752 40883c 49751->49752 49753 403450 18 API calls 49752->49753 49754 408849 49753->49754 49755 4085b4 GetLocaleInfoA 49754->49755 49756 408857 49755->49756 49757 408568 19 API calls 49756->49757 49758 408871 49757->49758 49759 403450 18 API calls 49758->49759 49760 40887e 49759->49760 49761 408568 19 API calls 49760->49761 49762 408893 49761->49762 49763 403450 18 API calls 49762->49763 49764 4088a0 49763->49764 49765 408568 19 API calls 49764->49765 49766 4088b5 49765->49766 49767 4088d2 49766->49767 49768 4088c3 49766->49768 49770 403494 4 API calls 49767->49770 49881 403494 49768->49881 49771 4088d0 49770->49771 49772 408568 19 API calls 49771->49772 49773 4088f4 49772->49773 49774 408911 49773->49774 49775 408902 49773->49775 49777 403400 4 API calls 49774->49777 49776 403494 4 API calls 49775->49776 49778 40890f 49776->49778 49777->49778 49875 403634 49778->49875 49788 408cc8 49787->49788 49795 406dec LoadStringA 49788->49795 49808 4034e0 49795->49808 49798 403450 49799 403454 49798->49799 49802 403464 49798->49802 49801 4034bc 18 API calls 49799->49801 49799->49802 49800 403490 49804 403400 49800->49804 49801->49802 49802->49800 49858 402660 49802->49858 49805 40341f 49804->49805 49806 403406 49804->49806 49805->49718 49806->49805 49807 402660 4 API calls 49806->49807 49807->49805 49813 4034bc 49808->49813 49810 4034f0 49811 403400 4 API calls 49810->49811 49812 403508 49811->49812 49812->49798 49814 4034c0 49813->49814 49815 4034dc 49813->49815 49818 402648 49814->49818 49815->49810 49817 4034c9 49817->49810 49819 40264c 49818->49819 49821 402656 49818->49821 49824 402088 49819->49824 49820 402652 49820->49821 49835 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49820->49835 49821->49817 49821->49821 49825 40209c 49824->49825 49826 4020a1 49824->49826 49836 4019cc RtlInitializeCriticalSection 49825->49836 49828 4020c6 RtlEnterCriticalSection 49826->49828 49829 4020d0 49826->49829 49834 4020a5 49826->49834 49828->49829 49829->49834 49843 401f94 49829->49843 49832 4021f1 RtlLeaveCriticalSection 49833 4021fb 49832->49833 49833->49820 49834->49820 49835->49821 49837 4019f0 RtlEnterCriticalSection 49836->49837 49838 4019fa 49836->49838 49837->49838 49839 401a18 LocalAlloc 49838->49839 49840 401a32 49839->49840 49841 401a81 49840->49841 49842 401a77 RtlLeaveCriticalSection 49840->49842 49841->49826 49842->49841 49844 401fa4 49843->49844 49845 401fd0 49844->49845 49848 401ff4 49844->49848 49849 401f0c 49844->49849 49845->49848 49854 401db4 49845->49854 49848->49832 49848->49833 49850 40178c LocalAlloc VirtualAlloc VirtualFree VirtualFree VirtualAlloc 49849->49850 49851 401f1c 49850->49851 49852 401f29 49851->49852 49853 401e80 9 API calls 49851->49853 49852->49844 49853->49852 49855 401dd2 49854->49855 49856 401e02 49854->49856 49855->49848 49856->49855 49857 401d1c 9 API calls 49856->49857 49857->49855 49859 402664 49858->49859 49861 40266e 49858->49861 49859->49861 49862 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49859->49862 49861->49800 49862->49861 49864 403426 49863->49864 49865 40344b 49864->49865 49866 402660 4 API calls 49864->49866 49865->49730 49866->49864 49868 4085a1 49867->49868 49869 40858f 49867->49869 49871 403494 4 API calls 49868->49871 49870 4034e0 18 API calls 49869->49870 49872 40859f 49870->49872 49871->49872 49872->49733 49874 4085d0 49873->49874 49874->49741 49876 40363c 49875->49876 49877 4034bc 18 API calls 49876->49877 49878 40364f 49877->49878 49879 403450 18 API calls 49878->49879 49880 403677 49879->49880 49883 403498 49881->49883 49882 4034ba 49882->49771 49883->49882 49884 402660 4 API calls 49883->49884 49884->49882 52174 42f520 52175 42f52b 52174->52175 52176 42f52f NtdllDefWindowProc_A 52174->52176 52176->52175 52177 4358e0 52178 4358f5 52177->52178 52182 43590f 52178->52182 52183 4352c8 52178->52183 52193 435312 52183->52193 52194 4352f8 52183->52194 52184 403400 4 API calls 52185 435717 52184->52185 52185->52182 52196 435728 18 API calls 52185->52196 52186 446da4 18 API calls 52186->52194 52187 403744 18 API calls 52187->52194 52188 403450 18 API calls 52188->52194 52189 402648 18 API calls 52189->52194 52192 4038a4 18 API calls 52192->52194 52193->52184 52194->52186 52194->52187 52194->52188 52194->52189 52194->52192 52194->52193 52197 4343b0 52194->52197 52209 434b74 18 API calls 52194->52209 52210 431ca0 52194->52210 52196->52182 52198 43446d 52197->52198 52199 4343dd 52197->52199 52234 434310 18 API calls 52198->52234 52201 403494 4 API calls 52199->52201 52203 4343eb 52201->52203 52202 43445f 52204 403400 4 API calls 52202->52204 52205 403778 18 API calls 52203->52205 52206 4344bd 52204->52206 52207 43440c 52205->52207 52206->52194 52207->52202 52216 494944 52207->52216 52209->52194 52211 431cae 52210->52211 52214 431cc0 52210->52214 52275 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52211->52275 52213 431ce2 52213->52194 52214->52213 52276 431c40 18 API calls 52214->52276 52217 49497c 52216->52217 52218 494a14 52216->52218 52219 403494 4 API calls 52217->52219 52235 448930 52218->52235 52223 494987 52219->52223 52221 403400 4 API calls 52222 494a38 52221->52222 52224 403400 4 API calls 52222->52224 52225 4037b8 18 API calls 52223->52225 52227 494997 52223->52227 52226 494a40 52224->52226 52228 4949b0 52225->52228 52226->52207 52227->52221 52228->52227 52229 4037b8 18 API calls 52228->52229 52230 4949d3 52229->52230 52231 403778 18 API calls 52230->52231 52232 494a04 52231->52232 52233 403634 18 API calls 52232->52233 52233->52218 52234->52202 52236 448955 52235->52236 52246 448998 52235->52246 52237 403494 4 API calls 52236->52237 52241 448960 52237->52241 52238 4489ac 52240 403400 4 API calls 52238->52240 52243 4489df 52240->52243 52242 4037b8 18 API calls 52241->52242 52244 44897c 52242->52244 52243->52227 52245 4037b8 18 API calls 52244->52245 52245->52246 52246->52238 52247 44852c 52246->52247 52248 403494 4 API calls 52247->52248 52249 448562 52248->52249 52250 4037b8 18 API calls 52249->52250 52251 448574 52250->52251 52252 403778 18 API calls 52251->52252 52253 448595 52252->52253 52254 4037b8 18 API calls 52253->52254 52255 4485ad 52254->52255 52256 403778 18 API calls 52255->52256 52257 4485d8 52256->52257 52258 4037b8 18 API calls 52257->52258 52269 4485f0 52258->52269 52259 448628 52261 403420 4 API calls 52259->52261 52260 4486c3 52265 4486cb GetProcAddress 52260->52265 52262 448708 52261->52262 52262->52238 52263 44864b LoadLibraryExA 52263->52269 52264 44865d LoadLibraryA 52264->52269 52266 4486de 52265->52266 52266->52259 52268 403450 18 API calls 52268->52269 52269->52259 52269->52260 52269->52263 52269->52264 52269->52268 52271 403b80 52269->52271 52274 43da88 18 API calls 52269->52274 52272 402648 18 API calls 52271->52272 52273 403b86 52272->52273 52273->52269 52274->52269 52275->52214 52276->52213 52277 416b42 52278 416bea 52277->52278 52279 416b5a 52277->52279 52296 41531c 18 API calls 52278->52296 52281 416b74 SendMessageA 52279->52281 52282 416b68 52279->52282 52292 416bc8 52281->52292 52283 416b72 CallWindowProcA 52282->52283 52284 416b8e 52282->52284 52283->52292 52293 41a058 GetSysColor 52284->52293 52287 416b99 SetTextColor 52288 416bae 52287->52288 52294 41a058 GetSysColor 52288->52294 52290 416bb3 SetBkColor 52295 41a6e0 GetSysColor CreateBrushIndirect 52290->52295 52293->52287 52294->52290 52295->52292 52296->52292 52297 416644 52298 416651 52297->52298 52299 4166ab 52297->52299 52304 416550 CreateWindowExA 52298->52304 52300 416658 SetPropA SetPropA 52300->52299 52301 41668b 52300->52301 52302 41669e SetWindowPos 52301->52302 52302->52299 52304->52300 52305 4222e4 52306 4222f3 52305->52306 52311 421274 52306->52311 52308 422313 52312 4212e3 52311->52312 52316 421283 52311->52316 52315 4212f4 52312->52315 52336 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 52312->52336 52314 421322 52318 421395 52314->52318 52326 42133d 52314->52326 52315->52314 52317 4213ba 52315->52317 52316->52312 52335 408d2c 33 API calls 52316->52335 52320 4213ce SetMenu 52317->52320 52333 421393 52317->52333 52324 4213a9 52318->52324 52318->52333 52319 4213e6 52339 4211bc 24 API calls 52319->52339 52320->52333 52323 4213ed 52323->52308 52334 4221e8 10 API calls 52323->52334 52327 4213b2 SetMenu 52324->52327 52328 421360 GetMenu 52326->52328 52326->52333 52327->52333 52329 421383 52328->52329 52330 42136a 52328->52330 52337 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 52329->52337 52332 42137d SetMenu 52330->52332 52332->52329 52333->52319 52338 421e2c 25 API calls 52333->52338 52334->52308 52335->52316 52336->52315 52337->52333 52338->52319 52339->52323 52340 44b4a8 52341 44b4b6 52340->52341 52343 44b4d5 52340->52343 52342 44b38c 25 API calls 52341->52342 52341->52343 52342->52343 52344 448728 52345 448756 52344->52345 52346 44875d 52344->52346 52348 403400 4 API calls 52345->52348 52347 448771 52346->52347 52349 44852c 21 API calls 52346->52349 52347->52345 52350 403494 4 API calls 52347->52350 52351 448907 52348->52351 52349->52347 52352 44878a 52350->52352 52353 4037b8 18 API calls 52352->52353 52354 4487a6 52353->52354 52355 4037b8 18 API calls 52354->52355 52356 4487c2 52355->52356 52356->52345 52357 4487d6 52356->52357 52358 4037b8 18 API calls 52357->52358 52359 4487f0 52358->52359 52376 431bd0 52359->52376 52361 448812 52362 431ca0 18 API calls 52361->52362 52367 448832 52361->52367 52362->52361 52363 448888 52380 442334 52363->52380 52365 448870 52365->52363 52392 4435d0 18 API calls 52365->52392 52367->52365 52391 4435d0 18 API calls 52367->52391 52369 4488bc GetLastError 52393 4484c0 18 API calls 52369->52393 52371 4488cb 52394 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52371->52394 52373 4488e0 52395 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52373->52395 52375 4488e8 52377 431bd6 52376->52377 52378 402648 18 API calls 52377->52378 52379 431c06 52378->52379 52379->52361 52381 443312 52380->52381 52382 44236d 52380->52382 52384 403400 4 API calls 52381->52384 52383 403400 4 API calls 52382->52383 52385 442375 52383->52385 52386 443327 52384->52386 52387 431bd0 18 API calls 52385->52387 52386->52369 52388 442381 52387->52388 52389 443302 52388->52389 52396 441a0c 18 API calls 52388->52396 52389->52369 52391->52367 52392->52363 52393->52371 52394->52373 52395->52375 52396->52388 52397 4165ec DestroyWindow 52398 42e3ef SetErrorMode 52399 441394 52400 44139d 52399->52400 52401 4413ab WriteFile 52399->52401 52400->52401 52402 4413b6 52401->52402 52403 416410 52405 416422 52403->52405 52404 416462 GetClassInfoA 52406 41648e 52404->52406 52405->52404 52423 408d2c 33 API calls 52405->52423 52408 4164ee 52406->52408 52409 4164b0 RegisterClassA 52406->52409 52410 4164a0 UnregisterClassA 52406->52410 52414 416517 52408->52414 52415 4164e9 52408->52415 52409->52408 52412 4164d8 52409->52412 52410->52409 52411 41645d 52411->52404 52413 408cbc 19 API calls 52412->52413 52413->52415 52417 407544 4 API calls 52414->52417 52415->52408 52416 408cbc 19 API calls 52415->52416 52416->52414 52418 416524 52417->52418 52424 418384 7 API calls 52418->52424 52420 416530 52421 41a1e8 19 API calls 52420->52421 52422 41653a 52421->52422 52423->52411 52424->52420 52425 491bf8 52426 491c32 52425->52426 52427 491c3e 52426->52427 52428 491c34 52426->52428 52430 491c4d 52427->52430 52431 491c76 52427->52431 52623 409098 MessageBeep 52428->52623 52624 446ff8 32 API calls 52430->52624 52438 491cae 52431->52438 52439 491c85 52431->52439 52432 403420 4 API calls 52434 49228a 52432->52434 52436 403400 4 API calls 52434->52436 52435 491c5a 52625 406bb0 52435->52625 52441 492292 52436->52441 52446 491cbd 52438->52446 52447 491ce6 52438->52447 52633 446ff8 32 API calls 52439->52633 52443 491c92 52634 406c00 18 API calls 52443->52634 52636 446ff8 32 API calls 52446->52636 52452 491d0e 52447->52452 52453 491cf5 52447->52453 52448 491c9d 52635 44734c 19 API calls 52448->52635 52451 491cca 52637 406c34 18 API calls 52451->52637 52461 491d1d 52452->52461 52462 491d42 52452->52462 52639 407280 19 API calls 52453->52639 52454 491c39 52454->52432 52457 491cd5 52638 44734c 19 API calls 52457->52638 52458 491cfd 52640 44734c 19 API calls 52458->52640 52641 446ff8 32 API calls 52461->52641 52465 491d7a 52462->52465 52466 491d51 52462->52466 52464 491d2a 52642 4072a8 52464->52642 52473 491d89 52465->52473 52474 491db2 52465->52474 52646 446ff8 32 API calls 52466->52646 52469 491d32 52645 4470d0 19 API calls 52469->52645 52471 491d5e 52472 42c804 19 API calls 52471->52472 52476 491d69 52472->52476 52648 446ff8 32 API calls 52473->52648 52480 491dfe 52474->52480 52481 491dc1 52474->52481 52647 44734c 19 API calls 52476->52647 52477 491d96 52649 4071f8 22 API calls 52477->52649 52486 491e0d 52480->52486 52487 491e36 52480->52487 52651 446ff8 32 API calls 52481->52651 52482 491da1 52650 44734c 19 API calls 52482->52650 52485 491dd0 52652 446ff8 32 API calls 52485->52652 52655 446ff8 32 API calls 52486->52655 52494 491e6e 52487->52494 52495 491e45 52487->52495 52490 491de1 52653 4918fc 22 API calls 52490->52653 52491 491e1a 52493 42c8a4 19 API calls 52491->52493 52499 491e25 52493->52499 52503 491e7d 52494->52503 52504 491ea6 52494->52504 52657 446ff8 32 API calls 52495->52657 52496 491ded 52654 44734c 19 API calls 52496->52654 52656 44734c 19 API calls 52499->52656 52500 491e52 52658 42c8cc 52500->52658 52667 446ff8 32 API calls 52503->52667 52509 491ede 52504->52509 52510 491eb5 52504->52510 52508 491e8a 52668 42c8fc 19 API calls 52508->52668 52517 491eed 52509->52517 52518 491f16 52509->52518 52670 446ff8 32 API calls 52510->52670 52513 491e95 52669 44734c 19 API calls 52513->52669 52514 491ec2 52516 42c92c 19 API calls 52514->52516 52519 491ecd 52516->52519 52672 446ff8 32 API calls 52517->52672 52524 491f62 52518->52524 52525 491f25 52518->52525 52671 44734c 19 API calls 52519->52671 52522 491efa 52673 42c954 52522->52673 52530 491f71 52524->52530 52531 491fb4 52524->52531 52679 446ff8 32 API calls 52525->52679 52529 491f34 52680 446ff8 32 API calls 52529->52680 52683 446ff8 32 API calls 52530->52683 52539 491fc3 52531->52539 52540 492027 52531->52540 52534 491f45 52681 42c4f8 19 API calls 52534->52681 52535 491f84 52684 446ff8 32 API calls 52535->52684 52538 491f51 52682 44734c 19 API calls 52538->52682 52613 446ff8 32 API calls 52539->52613 52546 492066 52540->52546 52547 492036 52540->52547 52542 491f95 52685 491af4 26 API calls 52542->52685 52544 491fd0 52614 42c608 21 API calls 52544->52614 52558 4920a5 52546->52558 52559 492075 52546->52559 52689 446ff8 32 API calls 52547->52689 52549 491fa3 52686 44734c 19 API calls 52549->52686 52551 491fde 52554 491fe2 52551->52554 52555 492017 52551->52555 52553 492043 52690 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 52553->52690 52615 446ff8 32 API calls 52554->52615 52688 4470d0 19 API calls 52555->52688 52567 4920e4 52558->52567 52568 4920b4 52558->52568 52692 446ff8 32 API calls 52559->52692 52561 492050 52691 4470d0 19 API calls 52561->52691 52562 491ff1 52616 452c80 52562->52616 52566 492082 52693 452770 52566->52693 52578 49212c 52567->52578 52579 4920f3 52567->52579 52701 446ff8 32 API calls 52568->52701 52569 492061 52569->52454 52570 492001 52687 4470d0 19 API calls 52570->52687 52574 49208f 52700 4470d0 19 API calls 52574->52700 52576 4920c1 52702 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 52576->52702 52585 49213b 52578->52585 52586 492174 52578->52586 52704 446ff8 32 API calls 52579->52704 52581 4920ce 52703 4470d0 19 API calls 52581->52703 52582 492102 52705 446ff8 32 API calls 52582->52705 52707 446ff8 32 API calls 52585->52707 52590 492187 52586->52590 52597 49223d 52586->52597 52587 492113 52706 447278 19 API calls 52587->52706 52589 49214a 52708 446ff8 32 API calls 52589->52708 52710 446ff8 32 API calls 52590->52710 52594 49215b 52709 447278 19 API calls 52594->52709 52595 4921b4 52711 446ff8 32 API calls 52595->52711 52597->52454 52716 446f9c 32 API calls 52597->52716 52599 4921cb 52712 407ddc 21 API calls 52599->52712 52601 492256 52602 42e8c8 19 API calls 52601->52602 52604 49225e 52602->52604 52717 44734c 19 API calls 52604->52717 52606 4921ed 52713 446ff8 32 API calls 52606->52713 52608 492201 52714 408508 18 API calls 52608->52714 52610 49220c 52715 44734c 19 API calls 52610->52715 52612 492218 52613->52544 52614->52551 52615->52562 52617 452724 2 API calls 52616->52617 52618 452c99 52617->52618 52619 452c9d 52618->52619 52620 452cc1 MoveFileA GetLastError 52618->52620 52619->52570 52621 452760 Wow64RevertWow64FsRedirection 52620->52621 52622 452ce7 52621->52622 52622->52570 52623->52454 52624->52435 52626 406bbf 52625->52626 52627 406be1 52626->52627 52628 406bd8 52626->52628 52631 403778 18 API calls 52627->52631 52629 403400 4 API calls 52628->52629 52630 406bdf 52629->52630 52632 44734c 19 API calls 52630->52632 52631->52630 52632->52454 52633->52443 52634->52448 52635->52454 52636->52451 52637->52457 52638->52454 52639->52458 52640->52454 52641->52464 52643 403738 52642->52643 52644 4072b2 SetCurrentDirectoryA 52643->52644 52644->52469 52645->52454 52646->52471 52647->52454 52648->52477 52649->52482 52650->52454 52651->52485 52652->52490 52653->52496 52654->52454 52655->52491 52656->52454 52657->52500 52718 42c674 52658->52718 52661 42c8e0 52664 403400 4 API calls 52661->52664 52662 42c8e9 52663 403778 18 API calls 52662->52663 52665 42c8e7 52663->52665 52664->52665 52666 44734c 19 API calls 52665->52666 52666->52454 52667->52508 52668->52513 52669->52454 52670->52514 52671->52454 52672->52522 52674 42c79c IsDBCSLeadByte 52673->52674 52675 42c964 52674->52675 52676 403778 18 API calls 52675->52676 52677 42c975 52676->52677 52678 44734c 19 API calls 52677->52678 52678->52454 52679->52529 52680->52534 52681->52538 52682->52454 52683->52535 52684->52542 52685->52549 52686->52454 52687->52454 52688->52454 52689->52553 52690->52561 52691->52569 52692->52566 52694 452724 2 API calls 52693->52694 52695 452786 52694->52695 52696 45278a 52695->52696 52697 4527a8 CreateDirectoryA GetLastError 52695->52697 52696->52574 52698 452760 Wow64RevertWow64FsRedirection 52697->52698 52699 4527ce 52698->52699 52699->52574 52700->52454 52701->52576 52702->52581 52703->52454 52704->52582 52705->52587 52706->52454 52707->52589 52708->52594 52709->52454 52710->52595 52711->52599 52712->52606 52713->52608 52714->52610 52715->52612 52716->52601 52717->52454 52719 42c67c IsDBCSLeadByte 52718->52719 52720 42c67b 52719->52720 52720->52661 52720->52662 52721 40cc34 52724 406f10 WriteFile 52721->52724 52725 406f2d 52724->52725 52726 48095d 52727 451004 19 API calls 52726->52727 52728 480971 52727->52728 52729 47fa0c 35 API calls 52728->52729 52730 480995 52729->52730 52731 41ee54 52732 41ee63 IsWindowVisible 52731->52732 52733 41ee99 52731->52733 52732->52733 52734 41ee6d IsWindowEnabled 52732->52734 52734->52733 52735 41ee77 52734->52735 52736 402648 18 API calls 52735->52736 52737 41ee81 EnableWindow 52736->52737 52737->52733 52738 46bb10 52739 46bb44 52738->52739 52771 46bfad 52738->52771 52740 46bb80 52739->52740 52742 46bbdc 52739->52742 52743 46bbba 52739->52743 52744 46bbcb 52739->52744 52745 46bb98 52739->52745 52746 46bba9 52739->52746 52747 468c74 33 API calls 52740->52747 52740->52771 52741 403400 4 API calls 52748 46bfec 52741->52748 53015 46baa0 59 API calls 52742->53015 52794 46b6d0 52743->52794 53014 46b890 81 API calls 52744->53014 53012 46b420 61 API calls 52745->53012 53013 46b588 56 API calls 52746->53013 52757 46bc18 52747->52757 52754 403400 4 API calls 52748->52754 52755 46bff4 52754->52755 52756 46bb9e 52756->52740 52756->52771 52765 46bc5b 52757->52765 52757->52771 53016 494da0 52757->53016 52759 468bb0 33 API calls 52759->52765 52760 46bd7e 53035 48358c 137 API calls 52760->53035 52763 42cbc0 20 API calls 52763->52765 52764 46bd99 52764->52771 52765->52759 52765->52760 52765->52763 52766 403450 18 API calls 52765->52766 52767 46af68 37 API calls 52765->52767 52770 414ae8 18 API calls 52765->52770 52765->52771 52773 46bdd7 52765->52773 52790 46be9f 52765->52790 52829 46acd4 52765->52829 52939 483084 52765->52939 53036 46b1dc 33 API calls 52765->53036 52766->52765 52767->52765 52770->52765 52771->52741 52772 46af68 37 API calls 52772->52771 52836 469f1c 52773->52836 52775 46be3d 52776 403450 18 API calls 52775->52776 52777 46be4d 52776->52777 52778 46bea9 52777->52778 52779 46be59 52777->52779 52782 46af68 37 API calls 52778->52782 52784 46bf6b 52778->52784 52780 457f1c 38 API calls 52779->52780 52781 46be78 52780->52781 52783 457f1c 38 API calls 52781->52783 52785 46bec3 52782->52785 52783->52790 52786 46bf04 52785->52786 52787 46beec SetActiveWindow 52785->52787 52897 46a2c4 52786->52897 52787->52786 52789 46bf2e 52789->52790 52791 46bf4e 52789->52791 52790->52772 52792 46ade4 35 API calls 52791->52792 52793 46bf63 52792->52793 53037 46c424 52794->53037 52797 46b852 52798 403420 4 API calls 52797->52798 52800 46b86c 52798->52800 52799 414ae8 18 API calls 52801 46b71e 52799->52801 52802 403400 4 API calls 52800->52802 52827 46b83e 52801->52827 53040 455f84 27 API calls 52801->53040 52804 46b874 52802->52804 52803 403450 18 API calls 52803->52797 52806 403400 4 API calls 52804->52806 52807 46b87c 52806->52807 52807->52740 52808 46b73c 52811 46b7a1 52808->52811 52813 466600 33 API calls 52808->52813 52810 46b801 52810->52797 52814 42cd48 21 API calls 52810->52814 52810->52827 52811->52797 52811->52810 53042 42cd48 52811->53042 52815 46b76b 52813->52815 52817 46b817 52814->52817 52818 466600 33 API calls 52815->52818 52816 451458 18 API calls 52819 46b7f1 52816->52819 52822 451458 18 API calls 52817->52822 52817->52827 52820 46b77c 52818->52820 53045 47efd0 56 API calls 52819->53045 52823 451428 18 API calls 52820->52823 52824 46b82e 52822->52824 52826 46b791 52823->52826 53046 47efd0 56 API calls 52824->53046 53041 47efd0 56 API calls 52826->53041 52827->52797 52827->52803 52830 46ace5 52829->52830 52831 46ace0 52829->52831 53260 469a80 60 API calls 52830->53260 52832 46ace3 52831->52832 53175 46a740 52831->53175 52832->52765 52834 46aced 52834->52765 52837 403400 4 API calls 52836->52837 52838 469f4a 52837->52838 53276 47dd00 52838->53276 52840 469fad 52841 469fb1 52840->52841 52842 469fca 52840->52842 52844 466800 34 API calls 52841->52844 52843 469fbb 52842->52843 53283 494c90 18 API calls 52842->53283 52847 46a154 52843->52847 52848 46a0e9 52843->52848 52896 46a25e 52843->52896 52844->52843 52846 469fe6 52846->52843 52850 469fee 52846->52850 52852 403494 4 API calls 52847->52852 52851 403494 4 API calls 52848->52851 52849 403420 4 API calls 52853 46a288 52849->52853 52854 46af68 37 API calls 52850->52854 52855 46a0f6 52851->52855 52856 46a161 52852->52856 52853->52775 52864 469ffb 52854->52864 52857 40357c 18 API calls 52855->52857 52858 40357c 18 API calls 52856->52858 52859 46a103 52857->52859 52860 46a16e 52858->52860 52861 40357c 18 API calls 52859->52861 52862 40357c 18 API calls 52860->52862 52865 46a110 52861->52865 52863 46a17b 52862->52863 52867 40357c 18 API calls 52863->52867 52870 46a024 SetActiveWindow 52864->52870 52875 46a03c 52864->52875 52866 40357c 18 API calls 52865->52866 52868 46a11d 52866->52868 52869 46a188 52867->52869 52871 466800 34 API calls 52868->52871 52872 40357c 18 API calls 52869->52872 52870->52875 52873 46a12b 52871->52873 52874 46a196 52872->52874 52876 40357c 18 API calls 52873->52876 52877 414b18 18 API calls 52874->52877 53284 42f560 52875->53284 52880 46a134 52876->52880 52881 46a152 52877->52881 52883 40357c 18 API calls 52880->52883 52884 466b38 25 API calls 52881->52884 52886 46a141 52883->52886 52890 46a1b8 52884->52890 52885 46a08d 52888 46ade4 35 API calls 52885->52888 52887 414b18 18 API calls 52886->52887 52887->52881 52889 46a0bf 52888->52889 52889->52775 52891 414b18 18 API calls 52890->52891 52890->52896 52892 46a21b 52891->52892 53301 495b50 MulDiv 52892->53301 52894 46a238 52895 414b18 18 API calls 52894->52895 52895->52896 52896->52849 52899 46a2f0 52897->52899 52898 46a32b 52906 46a4a0 52898->52906 52913 46a33f 52898->52913 52899->52898 53357 47e008 52899->53357 52901 46a4c7 52908 414b18 18 API calls 52901->52908 52902 46a47d 52909 46a498 52902->52909 52912 402660 4 API calls 52902->52912 52903 403400 4 API calls 52910 46a645 52903->52910 52904 402660 4 API calls 52904->52913 52905 402648 18 API calls 52905->52913 52906->52901 52907 46a4dd 52906->52907 52938 46a620 52906->52938 52915 414b18 18 API calls 52907->52915 52914 46a4db 52908->52914 52909->52789 52910->52789 52911 46a449 52916 457f1c 38 API calls 52911->52916 52912->52909 52913->52904 52913->52905 52922 46a3b2 52913->52922 53373 495b50 MulDiv 52914->53373 52915->52914 52916->52902 52919 46a4fe 52921 466b38 25 API calls 52919->52921 52920 457f1c 38 API calls 52920->52922 52923 46a532 52921->52923 52922->52902 52922->52911 52922->52920 52925 40357c 18 API calls 52922->52925 53372 403ba4 21 API calls 52922->53372 53374 466b40 KiUserCallbackDispatcher 52923->53374 52925->52922 52926 46a545 52927 466b38 25 API calls 52926->52927 52928 46a556 52927->52928 52929 414b18 18 API calls 52928->52929 52930 46a589 52929->52930 53375 495b50 MulDiv 52930->53375 52932 46a5a6 52933 414b18 18 API calls 52932->52933 52934 46a5dd 52933->52934 53376 495b50 MulDiv 52934->53376 52936 46a5fa 52937 414b18 18 API calls 52936->52937 52937->52938 52938->52903 52940 46c424 62 API calls 52939->52940 52941 4830c7 52940->52941 52942 4830d0 52941->52942 53594 408be0 19 API calls 52941->53594 52944 414ae8 18 API calls 52942->52944 52945 4830e0 52944->52945 52946 403450 18 API calls 52945->52946 52947 4830ed 52946->52947 53404 46c77c 52947->53404 52950 4830fd 52952 414ae8 18 API calls 52950->52952 52953 48310d 52952->52953 52954 403450 18 API calls 52953->52954 52955 48311a 52954->52955 52956 469868 SendMessageA 52955->52956 52957 483133 52956->52957 52958 483184 52957->52958 53596 479e18 37 API calls 52957->53596 52960 4241dc 11 API calls 52958->52960 52961 48318e 52960->52961 52962 48319f SetActiveWindow 52961->52962 52963 4831b4 52961->52963 52962->52963 53433 4824b4 52963->53433 53012->52756 53013->52740 53014->52740 53015->52740 55125 43d9c8 53016->55125 53019 494dcc 53022 431bd0 18 API calls 53019->53022 53020 494e52 53021 494e61 53020->53021 55159 4945c8 18 API calls 53020->55159 53021->52765 53024 494dd8 53022->53024 55130 4947f8 53024->55130 53030 494e16 55157 49465c 18 API calls 53030->55157 53032 494e2a 55158 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53032->55158 53034 494e4a 53034->52765 53035->52764 53036->52765 53047 46c4bc 53037->53047 53040->52808 53041->52811 53169 42cccc 53042->53169 53045->52810 53046->52827 53048 414ae8 18 API calls 53047->53048 53049 46c4f0 53048->53049 53108 466898 53049->53108 53052 414b18 18 API calls 53053 46c502 53052->53053 53054 46c511 53053->53054 53058 46c52a 53053->53058 53137 47efd0 56 API calls 53054->53137 53056 403420 4 API calls 53057 46b702 53056->53057 53057->52797 53057->52799 53059 46c571 53058->53059 53061 46c558 53058->53061 53060 46c5d6 53059->53060 53074 46c575 53059->53074 53140 42cb4c CharNextA 53060->53140 53138 47efd0 56 API calls 53061->53138 53064 46c5e5 53065 46c5e9 53064->53065 53070 46c602 53064->53070 53141 47efd0 56 API calls 53065->53141 53067 46c5bd 53139 47efd0 56 API calls 53067->53139 53069 46c626 53142 47efd0 56 API calls 53069->53142 53070->53069 53117 466a08 53070->53117 53074->53067 53074->53070 53077 46c63f 53078 403778 18 API calls 53077->53078 53079 46c655 53078->53079 53125 42c99c 53079->53125 53082 46c666 53143 466a94 18 API calls 53082->53143 53083 46c697 53084 42c8cc 19 API calls 53083->53084 53086 46c6a2 53084->53086 53088 42c3fc 19 API calls 53086->53088 53087 46c679 53089 451458 18 API calls 53087->53089 53090 46c6ad 53088->53090 53091 46c686 53089->53091 53092 42cbc0 20 API calls 53090->53092 53144 47efd0 56 API calls 53091->53144 53094 46c6b8 53092->53094 53129 46c450 53094->53129 53095 46c525 53095->53056 53097 46c6c0 53098 42cd48 21 API calls 53097->53098 53099 46c6c8 53098->53099 53100 46c6e2 53099->53100 53101 46c6cc 53099->53101 53100->53095 53103 46c6ec 53100->53103 53145 47efd0 56 API calls 53101->53145 53104 46c6f4 GetDriveTypeA 53103->53104 53104->53095 53105 46c6ff 53104->53105 53146 47efd0 56 API calls 53105->53146 53107 46c713 53107->53095 53109 4668b2 53108->53109 53111 42cbc0 20 API calls 53109->53111 53112 403450 18 API calls 53109->53112 53113 406bb0 18 API calls 53109->53113 53114 4668fb 53109->53114 53147 42caac 53109->53147 53111->53109 53112->53109 53113->53109 53115 403420 4 API calls 53114->53115 53116 466915 53115->53116 53116->53052 53118 466a12 53117->53118 53119 466a25 53118->53119 53158 42cb3c CharNextA 53118->53158 53119->53069 53121 466a38 53119->53121 53122 466a42 53121->53122 53123 466a6f 53122->53123 53159 42cb3c CharNextA 53122->53159 53123->53069 53123->53077 53126 42c9f5 53125->53126 53127 42c9b2 53125->53127 53126->53082 53126->53083 53127->53126 53160 42cb3c CharNextA 53127->53160 53130 46c4b5 53129->53130 53131 46c463 53129->53131 53130->53097 53131->53130 53161 41eea4 GetCurrentThreadId EnumThreadWindows 53131->53161 53133 46c473 53134 46c48d SHPathPrepareForWriteA 53133->53134 53163 41ef58 53134->53163 53137->53095 53138->53095 53139->53095 53140->53064 53141->53095 53142->53095 53143->53087 53144->53095 53145->53095 53146->53107 53148 403494 4 API calls 53147->53148 53149 42cabc 53148->53149 53150 403744 18 API calls 53149->53150 53153 42caf2 53149->53153 53156 42c444 IsDBCSLeadByte 53149->53156 53150->53149 53152 42cb36 53152->53109 53153->53152 53155 4037b8 18 API calls 53153->53155 53157 42c444 IsDBCSLeadByte 53153->53157 53155->53153 53156->53149 53157->53153 53158->53118 53159->53122 53160->53127 53162 41ef29 53161->53162 53162->53133 53164 41ef60 IsWindow 53163->53164 53165 41ef8c 53163->53165 53166 41ef7a 53164->53166 53167 41ef6f EnableWindow 53164->53167 53165->53097 53166->53164 53166->53165 53168 402660 4 API calls 53166->53168 53167->53166 53168->53166 53170 42cbc0 20 API calls 53169->53170 53171 42ccee 53170->53171 53172 42ccf6 GetFileAttributesA 53171->53172 53173 403400 4 API calls 53172->53173 53174 42cd13 53173->53174 53174->52810 53174->52816 53177 46a787 53175->53177 53176 46abff 53179 46ac1a 53176->53179 53180 46ac4b 53176->53180 53177->53176 53178 46a842 53177->53178 53183 403494 4 API calls 53177->53183 53182 46a863 53178->53182 53188 46a8a4 53178->53188 53184 403494 4 API calls 53179->53184 53181 403494 4 API calls 53180->53181 53187 46ac59 53181->53187 53189 403494 4 API calls 53182->53189 53185 46a7c6 53183->53185 53186 46ac28 53184->53186 53191 414ae8 18 API calls 53185->53191 53272 46915c 26 API calls 53186->53272 53273 46915c 26 API calls 53187->53273 53193 403400 4 API calls 53188->53193 53190 46a871 53189->53190 53195 414ae8 18 API calls 53190->53195 53196 46a7e7 53191->53196 53197 46a8a2 53193->53197 53199 46a892 53195->53199 53200 403634 18 API calls 53196->53200 53219 46a988 53197->53219 53261 469868 53197->53261 53198 46ac36 53201 403400 4 API calls 53198->53201 53202 403634 18 API calls 53199->53202 53203 46a7f7 53200->53203 53205 46ac7c 53201->53205 53202->53197 53207 414ae8 18 API calls 53203->53207 53210 403400 4 API calls 53205->53210 53206 46aa10 53208 403400 4 API calls 53206->53208 53211 46a80b 53207->53211 53212 46aa0e 53208->53212 53209 46a8c4 53213 46a902 53209->53213 53214 46a8ca 53209->53214 53215 46ac84 53210->53215 53211->53178 53222 414ae8 18 API calls 53211->53222 53267 469ca4 57 API calls 53212->53267 53216 403400 4 API calls 53213->53216 53217 403494 4 API calls 53214->53217 53218 403420 4 API calls 53215->53218 53221 46a900 53216->53221 53223 46a8d8 53217->53223 53224 46ac91 53218->53224 53219->53206 53220 46a9cf 53219->53220 53225 403494 4 API calls 53220->53225 53235 469b5c 57 API calls 53221->53235 53226 46a832 53222->53226 53228 47c26c 57 API calls 53223->53228 53224->52832 53229 46a9dd 53225->53229 53230 403634 18 API calls 53226->53230 53232 46a8f0 53228->53232 53234 414ae8 18 API calls 53229->53234 53230->53178 53231 46aa39 53238 46aa44 53231->53238 53239 46aa9a 53231->53239 53233 403634 18 API calls 53232->53233 53233->53221 53236 46a9fe 53234->53236 53237 46a929 53235->53237 53240 403634 18 API calls 53236->53240 53243 46a934 53237->53243 53244 46a98a 53237->53244 53241 403494 4 API calls 53238->53241 53242 403400 4 API calls 53239->53242 53240->53212 53250 46aa52 53241->53250 53248 46aaa2 53242->53248 53246 403494 4 API calls 53243->53246 53245 403400 4 API calls 53244->53245 53245->53219 53247 46a942 53246->53247 53247->53219 53255 403634 18 API calls 53247->53255 53252 46ab4b 53248->53252 53268 494c90 18 API calls 53248->53268 53250->53248 53254 403634 18 API calls 53250->53254 53256 46aa98 53250->53256 53251 46aac5 53251->53252 53269 494f3c 32 API calls 53251->53269 53270 4290f4 SendMessageA 53252->53270 53254->53250 53255->53247 53256->53248 53258 46abec 53271 429144 SendMessageA SendMessageA 53258->53271 53260->52834 53274 42a040 SendMessageA 53261->53274 53263 469877 53264 469897 53263->53264 53275 42a040 SendMessageA 53263->53275 53264->53209 53266 469887 53266->53209 53267->53231 53268->53251 53269->53252 53270->53258 53271->53176 53272->53198 53273->53198 53274->53263 53275->53266 53277 47dd19 53276->53277 53280 47dd56 53276->53280 53302 455d0c 53277->53302 53280->52840 53282 47dd6d 53282->52840 53283->52846 53285 42f56c 53284->53285 53286 42f58f GetActiveWindow GetFocus 53285->53286 53287 41eea4 2 API calls 53286->53287 53288 42f5a6 53287->53288 53289 42f5c3 53288->53289 53290 42f5b3 RegisterClassA 53288->53290 53291 42f652 SetFocus 53289->53291 53292 42f5d1 CreateWindowExA 53289->53292 53290->53289 53294 403400 4 API calls 53291->53294 53292->53291 53293 42f604 53292->53293 53351 42427c 53293->53351 53296 42f66e 53294->53296 53300 494f3c 32 API calls 53296->53300 53297 42f62c 53298 42f634 CreateWindowExA 53297->53298 53298->53291 53299 42f64a ShowWindow 53298->53299 53299->53291 53300->52885 53301->52894 53303 455d1d 53302->53303 53304 455d21 53303->53304 53305 455d2a 53303->53305 53328 455a10 53304->53328 53336 455af0 43 API calls 53305->53336 53308 455d27 53308->53280 53309 47d970 53308->53309 53311 47d9b0 53309->53311 53313 47da6c 53309->53313 53310 403420 4 API calls 53312 47db4f 53310->53312 53311->53313 53314 479770 33 API calls 53311->53314 53319 47c26c 57 API calls 53311->53319 53324 47da0f 53311->53324 53326 47da18 53311->53326 53345 4798d4 53311->53345 53312->53282 53315 479630 33 API calls 53313->53315 53318 47dabd 53313->53318 53313->53324 53314->53311 53315->53313 53317 47c26c 57 API calls 53317->53318 53318->53313 53318->53317 53321 454100 34 API calls 53318->53321 53323 47da59 53318->53323 53319->53311 53320 47c26c 57 API calls 53320->53326 53321->53318 53322 42c92c 19 API calls 53322->53326 53323->53324 53324->53310 53325 42c954 19 API calls 53325->53326 53326->53311 53326->53320 53326->53322 53326->53323 53326->53325 53349 47d67c 66 API calls 53326->53349 53329 42de1c RegOpenKeyExA 53328->53329 53330 455a2d 53329->53330 53331 455a7b 53330->53331 53337 455944 53330->53337 53331->53308 53334 455944 20 API calls 53335 455a5c RegCloseKey 53334->53335 53335->53308 53336->53308 53342 42dd58 53337->53342 53339 403420 4 API calls 53340 4559f6 53339->53340 53340->53334 53341 45596c 53341->53339 53343 42dc00 20 API calls 53342->53343 53344 42dd61 53343->53344 53344->53341 53346 4798e0 53345->53346 53347 4798fb 53346->53347 53350 453344 18 API calls 53346->53350 53347->53311 53349->53326 53350->53347 53352 4242ae 53351->53352 53353 42428e GetWindowTextA 53351->53353 53355 403494 4 API calls 53352->53355 53354 4034e0 18 API calls 53353->53354 53356 4242ac 53354->53356 53355->53356 53356->53297 53358 402648 18 API calls 53357->53358 53359 47e02c 53358->53359 53360 47d970 75 API calls 53359->53360 53361 47e04f 53360->53361 53362 47e0e4 53361->53362 53363 47e05c 53361->53363 53368 47e0f8 53362->53368 53377 47dd98 53362->53377 53400 494cec 32 API calls 53363->53400 53366 47e124 53369 402660 4 API calls 53366->53369 53367 47e09e 53367->52898 53368->53366 53370 402660 4 API calls 53368->53370 53371 47e12e 53369->53371 53370->53368 53371->52898 53372->52922 53373->52919 53374->52926 53375->52932 53376->52936 53378 403494 4 API calls 53377->53378 53379 47ddc7 53378->53379 53380 42c92c 19 API calls 53379->53380 53391 47de2b 53379->53391 53382 47dde2 53380->53382 53381 47de3b 53386 403400 4 API calls 53381->53386 53401 42ca00 21 API calls 53382->53401 53384 47dea7 53384->53381 53385 47defc 53384->53385 53403 453c0c 25 API calls 53384->53403 53394 402648 18 API calls 53385->53394 53387 47df75 53386->53387 53389 403420 4 API calls 53387->53389 53392 47df82 53389->53392 53390 47def1 53393 403494 4 API calls 53390->53393 53391->53381 53391->53384 53395 402660 4 API calls 53391->53395 53392->53368 53393->53385 53396 47df10 53394->53396 53395->53391 53397 47df38 MultiByteToWideChar 53396->53397 53397->53381 53398 47dded 53398->53391 53402 42e8a0 CharNextA 53398->53402 53400->53367 53401->53398 53402->53398 53403->53390 53405 46c7a5 53404->53405 53406 46c7f2 53405->53406 53407 414ae8 18 API calls 53405->53407 53408 403420 4 API calls 53406->53408 53409 46c7bb 53407->53409 53410 46c89c 53408->53410 53603 466924 20 API calls 53409->53603 53410->52950 53595 408be0 19 API calls 53410->53595 53412 46c7c3 53413 414b18 18 API calls 53412->53413 53414 46c7d1 53413->53414 53415 46c7de 53414->53415 53417 46c7f7 53414->53417 53604 47efd0 56 API calls 53415->53604 53418 46c80f 53417->53418 53419 466a08 CharNextA 53417->53419 53605 47efd0 56 API calls 53418->53605 53421 46c80b 53419->53421 53421->53418 53422 46c825 53421->53422 53423 46c841 53422->53423 53424 46c82b 53422->53424 53426 42c99c CharNextA 53423->53426 53606 47efd0 56 API calls 53424->53606 53427 46c84e 53426->53427 53427->53406 53607 466a94 18 API calls 53427->53607 53429 46c865 53430 451458 18 API calls 53429->53430 53431 46c872 53430->53431 53608 47efd0 56 API calls 53431->53608 53434 482505 53433->53434 53435 4824d7 53433->53435 53437 475bd0 53434->53437 53609 494cec 32 API calls 53435->53609 53438 457d10 38 API calls 53437->53438 53439 475c1c 53438->53439 53440 4072a8 SetCurrentDirectoryA 53439->53440 53441 475c26 53440->53441 53610 46e308 53441->53610 53445 475c36 53618 45a148 53445->53618 53448 47c26c 57 API calls 53449 475c8d 53448->53449 53451 475c9d 53449->53451 54040 453344 18 API calls 53449->54040 53452 475cbf 53451->53452 54041 453344 18 API calls 53451->54041 53453 478e24 34 API calls 53452->53453 53455 475cca 53453->53455 53622 4794c0 53455->53622 53458 403450 18 API calls 53459 475cf1 53458->53459 53460 403450 18 API calls 53459->53460 53461 475cff 53460->53461 53626 46e964 53461->53626 53465 475d65 53666 4759a0 53465->53666 53472 46e4ec 31 API calls 53473 475d89 53472->53473 53474 475db8 53473->53474 53476 475da4 53473->53476 53477 475dba 53473->53477 53682 474c24 53474->53682 53479 46e298 24 API calls 53476->53479 53480 457d10 38 API calls 53477->53480 53483 475dae 53479->53483 53480->53474 53481 46e4ec 31 API calls 53482 475dce 53481->53482 53484 475df2 53482->53484 53486 45a204 18 API calls 53482->53486 54042 475a48 56 API calls 53483->54042 53486->53484 53488 475db3 53491 46e4ec 31 API calls 53488->53491 53491->53474 53596->52958 53603->53412 53604->53406 53605->53406 53606->53406 53607->53429 53608->53406 53609->53434 53611 46e37b 53610->53611 53613 46e325 53610->53613 53614 46e380 53611->53614 53612 479770 33 API calls 53612->53613 53613->53611 53613->53612 53615 46e3a6 53614->53615 54049 44fb1c 53615->54049 53617 46e402 53617->53445 53619 45a14e 53618->53619 53620 45a430 4 API calls 53619->53620 53621 45a16a 53620->53621 53621->53448 53623 4794cd 53622->53623 53624 479368 33 API calls 53623->53624 53625 475cd2 53623->53625 53624->53625 53625->53458 53627 46e9a2 53626->53627 53628 46e992 53626->53628 53629 403400 4 API calls 53627->53629 53630 403494 4 API calls 53628->53630 53631 46e9a0 53629->53631 53630->53631 53632 455560 5 API calls 53631->53632 53633 46e9b6 53632->53633 53634 45559c 5 API calls 53633->53634 53635 46e9c4 53634->53635 53636 46e93c 19 API calls 53635->53636 53637 46e9d8 53636->53637 53638 45a204 18 API calls 53637->53638 53639 46e9f0 53638->53639 53640 403420 4 API calls 53639->53640 53641 46ea0a 53640->53641 53642 403400 4 API calls 53641->53642 53643 46ea12 53642->53643 53644 46eb70 53643->53644 53645 4034e0 18 API calls 53644->53645 53646 46ebad 53645->53646 53647 46ebb6 53646->53647 53648 46ebc5 53646->53648 53649 47c26c 57 API calls 53647->53649 53650 403400 4 API calls 53648->53650 53651 46ebc3 53649->53651 53650->53651 53652 47c26c 57 API calls 53651->53652 53653 46ebe8 53652->53653 53654 46ec15 53653->53654 54063 46ea24 19 API calls 53653->54063 54060 46eb5c 53654->54060 53658 47c26c 57 API calls 53659 46ec56 53658->53659 53660 45a204 18 API calls 53659->53660 53661 46ec74 53660->53661 53662 403420 4 API calls 53661->53662 53663 46ec8e 53662->53663 53664 403420 4 API calls 53663->53664 53665 46ec9b 53664->53665 53665->53465 53667 4759e1 53666->53667 53668 4759b0 53666->53668 53670 46e4ec 53667->53670 53668->53667 53669 479630 33 API calls 53668->53669 53669->53668 53671 46e4f5 53670->53671 53672 46e4fa 53670->53672 54068 408be0 19 API calls 53671->54068 54064 4244ac 53672->54064 53676 46e512 53678 4759f4 53676->53678 53679 475a37 53678->53679 53680 475a04 53678->53680 53679->53472 53680->53679 53681 479630 33 API calls 53680->53681 53681->53680 53683 474cfd 53682->53683 53687 474c4b 53682->53687 53684 403400 4 API calls 53683->53684 53685 474d12 53684->53685 53685->53481 53686 479630 33 API calls 53686->53687 53687->53683 53687->53686 53690 474c9b 53687->53690 54102 47e1b8 53687->54102 54106 4792a4 53687->54106 54111 4792d0 33 API calls 53687->54111 53690->53687 53691 47c26c 57 API calls 53690->53691 54109 454100 34 API calls 53690->54109 54110 454100 34 API calls 53690->54110 53691->53690 54040->53451 54041->53452 54042->53488 54052 44fb30 54049->54052 54053 44fb41 54052->54053 54054 44fb2d 54053->54054 54055 44fb6b MulDiv 54053->54055 54054->53617 54058 4181e0 54055->54058 54057 44fb96 SendMessageA 54057->54054 54059 4181ea 54058->54059 54059->54057 54061 403494 4 API calls 54060->54061 54062 46eb6b 54061->54062 54062->53658 54063->53654 54065 4244af 54064->54065 54067 4244ba 54065->54067 54070 4243fc PeekMessageA 54065->54070 54067->53676 54069 408be0 19 API calls 54067->54069 54071 4244a0 54070->54071 54072 42441f 54070->54072 54071->54065 54072->54071 54082 4243cc 54072->54082 54081 42448a TranslateMessage DispatchMessageA 54081->54071 54083 4243f4 54082->54083 54084 4243dd 54082->54084 54083->54071 54086 424318 54083->54086 54084->54083 54101 424cb8 UnhookWindowsHookEx TerminateThread KillTimer IsWindowVisible ShowWindow 54084->54101 54087 424362 54086->54087 54088 424328 54086->54088 54087->54071 54090 424368 54087->54090 54088->54087 54089 42434f TranslateMDISysAccel 54088->54089 54089->54087 54091 4243c4 54090->54091 54092 42437d 54090->54092 54091->54071 54098 4242f4 54091->54098 54092->54091 54093 424385 GetCapture 54092->54093 54093->54091 54094 42438e 54093->54094 54095 4243a7 SendMessageA 54094->54095 54097 4243a0 54094->54097 54095->54091 54096 4243c2 54095->54096 54096->54091 54097->54095 54099 424307 IsDialogMessage 54098->54099 54100 424314 54098->54100 54099->54100 54100->54071 54100->54081 54101->54083 54103 47e25f 54102->54103 54104 47e1cc 54102->54104 54103->53687 54104->54103 54112 457470 29 API calls 54104->54112 54113 479200 54106->54113 54109->53690 54110->53687 54111->53687 54112->54103 54114 479234 54113->54114 54115 47920c 54113->54115 54114->53687 54116 47922d 54115->54116 54119 453344 18 API calls 54115->54119 54120 4790c0 33 API calls 54116->54120 54119->54116 54120->54114 55160 431eec 55125->55160 55127 43d9f2 55128 403400 4 API calls 55127->55128 55129 43da76 55128->55129 55129->53019 55129->53020 55131 4948cd 55130->55131 55134 494812 55130->55134 55137 494910 55131->55137 55132 433d6c 18 API calls 55132->55134 55134->55131 55134->55132 55135 431ca0 18 API calls 55134->55135 55136 403450 18 API calls 55134->55136 55165 408c0c 18 API calls 55134->55165 55135->55134 55136->55134 55138 49492c 55137->55138 55166 433d6c 55138->55166 55140 494931 55141 431ca0 18 API calls 55140->55141 55142 49493c 55141->55142 55143 43d594 55142->55143 55144 43d5c1 55143->55144 55149 43d5b3 55143->55149 55144->53030 55145 43d63d 55156 43d6f7 55145->55156 55169 447084 55145->55169 55147 43d688 55175 43dd50 55147->55175 55149->55144 55149->55145 55150 447084 18 API calls 55149->55150 55150->55149 55151 43d8fd 55151->55144 55195 447024 18 API calls 55151->55195 55153 43d8de 55194 447024 18 API calls 55153->55194 55156->55151 55156->55153 55193 447024 18 API calls 55156->55193 55157->53032 55158->53034 55159->53021 55161 403494 4 API calls 55160->55161 55162 431efb 55161->55162 55163 431f25 55162->55163 55164 403744 18 API calls 55162->55164 55163->55127 55164->55162 55165->55134 55167 402648 18 API calls 55166->55167 55168 433d7b 55167->55168 55168->55140 55170 4470a3 55169->55170 55171 4470aa 55169->55171 55196 446e30 18 API calls 55170->55196 55173 431ca0 18 API calls 55171->55173 55174 4470ba 55173->55174 55174->55147 55176 43dd6c 55175->55176 55181 43dd99 55175->55181 55177 402660 4 API calls 55176->55177 55176->55181 55177->55176 55178 43ddce 55178->55156 55180 43fea5 55180->55178 55206 447024 18 API calls 55180->55206 55181->55178 55181->55180 55182 43c938 18 API calls 55181->55182 55184 447024 18 API calls 55181->55184 55186 431c40 18 API calls 55181->55186 55189 433d18 18 API calls 55181->55189 55190 436650 18 API calls 55181->55190 55191 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55181->55191 55192 446e30 18 API calls 55181->55192 55197 4396e0 55181->55197 55203 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55181->55203 55204 43dc48 32 API calls 55181->55204 55205 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55181->55205 55182->55181 55184->55181 55186->55181 55189->55181 55190->55181 55191->55181 55192->55181 55193->55156 55194->55151 55195->55151 55196->55171 55198 4396e9 55197->55198 55199 403400 4 API calls 55198->55199 55200 43c8e8 55199->55200 55207 403a38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55200->55207 55202 43c8fa 55202->55181 55203->55181 55204->55181 55205->55181 55206->55180 55207->55202 55208 41fb58 55209 41fb61 55208->55209 55212 41fdfc 55209->55212 55211 41fb6e 55213 41feee 55212->55213 55214 41fe13 55212->55214 55213->55211 55214->55213 55233 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55214->55233 55216 41fe49 55217 41fe73 55216->55217 55218 41fe4d 55216->55218 55243 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55217->55243 55234 41fb9c 55218->55234 55221 41fe81 55223 41fe85 55221->55223 55224 41feab 55221->55224 55226 41fb9c 10 API calls 55223->55226 55227 41fb9c 10 API calls 55224->55227 55225 41fb9c 10 API calls 55232 41fe71 55225->55232 55228 41fe97 55226->55228 55229 41febd 55227->55229 55230 41fb9c 10 API calls 55228->55230 55231 41fb9c 10 API calls 55229->55231 55230->55232 55231->55232 55232->55211 55233->55216 55235 41fbb7 55234->55235 55236 41f93c 4 API calls 55235->55236 55237 41fbcd 55235->55237 55236->55237 55244 41f93c 55237->55244 55239 41fc15 55240 41fc38 SetScrollInfo 55239->55240 55252 41fa9c 55240->55252 55243->55221 55245 4181e0 55244->55245 55246 41f959 GetWindowLongA 55245->55246 55247 41f996 55246->55247 55248 41f976 55246->55248 55264 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55247->55264 55263 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 55248->55263 55251 41f982 55251->55239 55253 41fab2 55252->55253 55254 41faaa 55252->55254 55255 41faef 55253->55255 55256 41faf1 55253->55256 55257 41fae1 55253->55257 55254->55225 55258 41fb31 GetScrollPos 55255->55258 55266 417e48 IsWindowVisible ScrollWindow SetWindowPos 55256->55266 55265 417e48 IsWindowVisible ScrollWindow SetWindowPos 55257->55265 55258->55254 55261 41fb3c 55258->55261 55262 41fb4b SetScrollPos 55261->55262 55262->55254 55263->55251 55264->55251 55265->55255 55266->55255 55267 420598 55268 4205ab 55267->55268 55288 415b30 55268->55288 55270 4205e6 55271 4206f2 55270->55271 55272 420651 55270->55272 55281 420642 MulDiv 55270->55281 55275 420709 55271->55275 55295 4146d4 KiUserCallbackDispatcher 55271->55295 55293 420848 34 API calls 55272->55293 55274 420720 55278 420742 55274->55278 55297 420060 12 API calls 55274->55297 55275->55274 55296 414718 KiUserCallbackDispatcher 55275->55296 55280 42066a 55280->55271 55294 420060 12 API calls 55280->55294 55292 41a304 19 API calls 55281->55292 55284 420687 55285 4206a3 MulDiv 55284->55285 55286 4206c6 55284->55286 55285->55286 55286->55271 55287 4206cf MulDiv 55286->55287 55287->55271 55289 415b42 55288->55289 55298 414470 55289->55298 55291 415b5a 55291->55270 55292->55272 55293->55280 55294->55284 55295->55275 55296->55274 55297->55278 55299 41448a 55298->55299 55302 410458 55299->55302 55301 4144a0 55301->55291 55305 40dca4 55302->55305 55304 41045e 55304->55301 55306 40dd06 55305->55306 55307 40dcb7 55305->55307 55312 40dd14 55306->55312 55310 40dd14 33 API calls 55307->55310 55311 40dce1 55310->55311 55311->55304 55313 40dd24 55312->55313 55315 40dd3a 55313->55315 55324 40e09c 55313->55324 55340 40d5e0 55313->55340 55343 40df4c 55315->55343 55318 40d5e0 19 API calls 55319 40dd42 55318->55319 55319->55318 55320 40ddae 55319->55320 55346 40db60 55319->55346 55321 40df4c 19 API calls 55320->55321 55323 40dd10 55321->55323 55323->55304 55325 40e96c 19 API calls 55324->55325 55328 40e0d7 55325->55328 55326 403778 18 API calls 55326->55328 55327 40e18d 55329 40e1b7 55327->55329 55330 40e1a8 55327->55330 55328->55326 55328->55327 55414 40d774 19 API calls 55328->55414 55415 40e080 19 API calls 55328->55415 55411 40ba24 55329->55411 55360 40e3c0 55330->55360 55336 40e1b5 55337 403400 4 API calls 55336->55337 55338 40e25c 55337->55338 55338->55313 55341 40ea08 19 API calls 55340->55341 55342 40d5ea 55341->55342 55342->55313 55448 40d4bc 55343->55448 55347 40df54 19 API calls 55346->55347 55348 40db93 55347->55348 55349 40e96c 19 API calls 55348->55349 55350 40db9e 55349->55350 55351 40e96c 19 API calls 55350->55351 55352 40dba9 55351->55352 55353 40dbc4 55352->55353 55354 40dbbb 55352->55354 55358 40dbc1 55352->55358 55457 40d9d8 55353->55457 55460 40dac8 33 API calls 55354->55460 55357 403420 4 API calls 55359 40dc8f 55357->55359 55358->55357 55359->55319 55361 40e3f6 55360->55361 55362 40e3ec 55360->55362 55364 40e511 55361->55364 55365 40e495 55361->55365 55366 40e4f6 55361->55366 55367 40e576 55361->55367 55368 40e438 55361->55368 55369 40e4d9 55361->55369 55370 40e47a 55361->55370 55371 40e4bb 55361->55371 55402 40e45c 55361->55402 55417 40d440 19 API calls 55362->55417 55372 40d764 19 API calls 55364->55372 55425 40de24 19 API calls 55365->55425 55430 40e890 19 API calls 55366->55430 55376 40d764 19 API calls 55367->55376 55418 40d764 55368->55418 55428 40e9a8 19 API calls 55369->55428 55424 40d818 19 API calls 55370->55424 55427 40dde4 19 API calls 55371->55427 55381 40e519 55372->55381 55375 403400 4 API calls 55382 40e5eb 55375->55382 55383 40e57e 55376->55383 55387 40e523 55381->55387 55388 40e51d 55381->55388 55382->55336 55389 40e582 55383->55389 55390 40e59b 55383->55390 55384 40e4e4 55429 409d38 18 API calls 55384->55429 55386 40e4a0 55426 40d470 19 API calls 55386->55426 55431 40ea08 55387->55431 55396 40e521 55388->55396 55397 40e53c 55388->55397 55399 40ea08 19 API calls 55389->55399 55437 40de24 19 API calls 55390->55437 55392 40e461 55423 40ded8 19 API calls 55392->55423 55393 40e444 55421 40de24 19 API calls 55393->55421 55435 40de24 19 API calls 55396->55435 55403 40ea08 19 API calls 55397->55403 55399->55402 55402->55375 55406 40e544 55403->55406 55404 40e44f 55422 40e26c 19 API calls 55404->55422 55434 40d8a0 19 API calls 55406->55434 55408 40e566 55436 40e2d4 18 API calls 55408->55436 55443 40b9d0 55411->55443 55414->55328 55415->55328 55416 40d774 19 API calls 55416->55336 55417->55361 55419 40ea08 19 API calls 55418->55419 55420 40d76e 55419->55420 55420->55392 55420->55393 55421->55404 55422->55402 55423->55402 55424->55402 55425->55386 55426->55402 55427->55402 55428->55384 55429->55402 55430->55402 55438 40d780 55431->55438 55434->55402 55435->55408 55436->55402 55437->55402 55441 40d78b 55438->55441 55439 40d7c5 55439->55402 55441->55439 55442 40d7cc 19 API calls 55441->55442 55442->55441 55444 40b9e2 55443->55444 55446 40ba07 55443->55446 55444->55446 55447 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55444->55447 55446->55336 55446->55416 55447->55446 55449 40ea08 19 API calls 55448->55449 55450 40d4c9 55449->55450 55451 40d4dc 55450->55451 55455 40eb0c 19 API calls 55450->55455 55451->55319 55453 40d4d7 55456 40d458 19 API calls 55453->55456 55455->55453 55456->55451 55461 40ab7c 33 API calls 55457->55461 55459 40da00 55459->55358 55460->55358 55461->55459 55462 41363c SetWindowLongA GetWindowLongA 55463 413699 SetPropA SetPropA 55462->55463 55464 41367b GetWindowLongA 55462->55464 55469 41f39c 55463->55469 55464->55463 55465 41368a SetWindowLongA 55464->55465 55465->55463 55474 423a84 55469->55474 55481 415270 55469->55481 55488 423c0c 55469->55488 55470 4136e9 55475 423a94 55474->55475 55477 423b0d 55474->55477 55476 423a9a EnumWindows 55475->55476 55475->55477 55476->55477 55478 423ab6 GetWindow GetWindowLongA 55476->55478 55582 423a1c GetWindow 55476->55582 55477->55470 55479 423ad5 55478->55479 55479->55477 55480 423b01 SetWindowPos 55479->55480 55480->55477 55480->55479 55482 41527d 55481->55482 55483 4152e3 55482->55483 55484 4152d8 55482->55484 55487 4152e1 55482->55487 55585 424b8c 13 API calls 55483->55585 55484->55487 55586 41505c 60 API calls 55484->55586 55487->55470 55491 423c42 55488->55491 55509 423c63 55491->55509 55587 423b68 55491->55587 55492 423cec 55494 423cf3 55492->55494 55495 423d27 55492->55495 55493 423c8d 55496 423c93 55493->55496 55497 423d50 55493->55497 55502 423cf9 55494->55502 55541 423fb1 55494->55541 55498 423d32 55495->55498 55499 42409a IsIconic 55495->55499 55503 423cc5 55496->55503 55504 423c98 55496->55504 55500 423d62 55497->55500 55501 423d6b 55497->55501 55507 4240d6 55498->55507 55508 423d3b 55498->55508 55499->55509 55513 4240ae GetFocus 55499->55513 55510 423d78 55500->55510 55511 423d69 55500->55511 55594 424194 11 API calls 55501->55594 55514 423f13 SendMessageA 55502->55514 55515 423d07 55502->55515 55503->55509 55531 423cde 55503->55531 55532 423e3f 55503->55532 55505 423df6 55504->55505 55506 423c9e 55504->55506 55599 423b84 NtdllDefWindowProc_A 55505->55599 55520 423ca7 55506->55520 55521 423e1e PostMessageA 55506->55521 55608 424850 WinHelpA PostMessageA 55507->55608 55517 4240ed 55508->55517 55533 423cc0 55508->55533 55509->55470 55518 4241dc 11 API calls 55510->55518 55595 423b84 NtdllDefWindowProc_A 55511->55595 55513->55509 55519 4240bf 55513->55519 55514->55509 55515->55509 55515->55533 55561 423f56 55515->55561 55529 4240f6 55517->55529 55530 42410b 55517->55530 55518->55509 55607 41eff4 GetCurrentThreadId EnumThreadWindows 55519->55607 55526 423cb0 55520->55526 55527 423ea5 55520->55527 55600 423b84 NtdllDefWindowProc_A 55521->55600 55536 423cb9 55526->55536 55537 423dce IsIconic 55526->55537 55538 423eae 55527->55538 55539 423edf 55527->55539 55528 423e39 55528->55509 55540 4244d4 19 API calls 55529->55540 55609 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 55530->55609 55531->55533 55542 423e0b 55531->55542 55591 423b84 NtdllDefWindowProc_A 55532->55591 55533->55509 55593 423b84 NtdllDefWindowProc_A 55533->55593 55535 4240c6 55535->55509 55547 4240ce SetFocus 55535->55547 55536->55533 55548 423d91 55536->55548 55550 423dea 55537->55550 55551 423dde 55537->55551 55602 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 55538->55602 55592 423b84 NtdllDefWindowProc_A 55539->55592 55540->55509 55541->55509 55558 423fd7 IsWindowEnabled 55541->55558 55545 424178 26 API calls 55542->55545 55545->55509 55546 423e45 55555 423e83 55546->55555 55556 423e61 55546->55556 55547->55509 55548->55509 55596 422c4c ShowWindow PostMessageA PostQuitMessage 55548->55596 55598 423b84 NtdllDefWindowProc_A 55550->55598 55597 423bc0 29 API calls 55551->55597 55554 423ee5 55560 423efd 55554->55560 55567 41eea4 2 API calls 55554->55567 55563 423a84 6 API calls 55555->55563 55601 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 55556->55601 55557 423eb6 55565 423ec8 55557->55565 55572 41ef58 6 API calls 55557->55572 55558->55509 55566 423fe5 55558->55566 55568 423a84 6 API calls 55560->55568 55561->55509 55569 423f78 IsWindowEnabled 55561->55569 55571 423e8b PostMessageA 55563->55571 55603 423b84 NtdllDefWindowProc_A 55565->55603 55575 423fec IsWindowVisible 55566->55575 55567->55560 55568->55509 55569->55509 55574 423f86 55569->55574 55570 423e69 PostMessageA 55570->55509 55571->55509 55572->55565 55604 412310 21 API calls 55574->55604 55575->55509 55577 423ffa GetFocus 55575->55577 55578 4181e0 55577->55578 55579 42400f SetFocus 55578->55579 55605 415240 55579->55605 55583 423a3d GetWindowLongA 55582->55583 55584 423a49 55582->55584 55583->55584 55585->55487 55586->55487 55588 423b72 55587->55588 55589 423b7d 55587->55589 55588->55589 55590 408720 21 API calls 55588->55590 55589->55492 55589->55493 55590->55589 55591->55546 55592->55554 55593->55509 55594->55509 55595->55509 55596->55509 55597->55509 55598->55509 55599->55509 55600->55528 55601->55570 55602->55557 55603->55509 55604->55509 55606 41525b SetFocus 55605->55606 55606->55509 55607->55535 55608->55528 55609->55528 55610 4809f7 55611 480a00 55610->55611 55612 480a2b 55610->55612 55611->55612 55613 480a1d 55611->55613 55615 480a6a 55612->55615 55984 47f4a4 18 API calls 55612->55984 55982 476c50 203 API calls 55613->55982 55616 480a8e 55615->55616 55620 480a81 55615->55620 55621 480a83 55615->55621 55623 480aca 55616->55623 55624 480aac 55616->55624 55618 480a22 55618->55612 55983 408be0 19 API calls 55618->55983 55619 480a5d 55985 47f50c 56 API calls 55619->55985 55627 47f4e8 56 API calls 55620->55627 55986 47f57c 56 API calls 55621->55986 55989 47f33c 38 API calls 55623->55989 55628 480ac1 55624->55628 55987 47f50c 56 API calls 55624->55987 55627->55616 55988 47f33c 38 API calls 55628->55988 55630 480ac8 55633 480ada 55630->55633 55634 480ae0 55630->55634 55635 480ade 55633->55635 55638 47f4e8 56 API calls 55633->55638 55634->55635 55636 47f4e8 56 API calls 55634->55636 55736 47c66c 55635->55736 55636->55635 55638->55635 55639 480b07 55810 47cb94 55639->55810 55644 480b21 55646 480b31 55644->55646 55882 47f8d0 55644->55882 55648 480b88 55646->55648 55902 4502c0 55646->55902 55907 47fc70 55648->55907 55651 480b8d 55652 480b9a 55651->55652 55653 480cdd 55651->55653 55912 494b50 55652->55912 55655 47fb8c 32 API calls 55653->55655 55654 480b52 55654->55648 55662 4314f8 18 API calls 55654->55662 55657 480cdb 55655->55657 55662->55648 55737 42d898 GetWindowsDirectoryA 55736->55737 55738 47c690 55737->55738 55739 403450 18 API calls 55738->55739 55740 47c69d 55739->55740 55741 42d8c4 GetSystemDirectoryA 55740->55741 55742 47c6a5 55741->55742 55743 403450 18 API calls 55742->55743 55744 47c6b2 55743->55744 55745 42d8f0 6 API calls 55744->55745 55746 47c6ba 55745->55746 55747 403450 18 API calls 55746->55747 55748 47c6c7 55747->55748 55749 47c6d0 55748->55749 55750 47c6ec 55748->55750 56021 42d208 55749->56021 55751 403400 4 API calls 55750->55751 55754 47c6ea 55751->55754 55756 47c731 55754->55756 55757 42c8cc 19 API calls 55754->55757 55755 403450 18 API calls 55755->55754 56001 47c4f4 55756->56001 55759 47c70c 55757->55759 55762 403450 18 API calls 55759->55762 55761 403450 18 API calls 55763 47c74d 55761->55763 55764 47c719 55762->55764 55765 47c76b 55763->55765 55766 4035c0 18 API calls 55763->55766 55764->55756 55768 403450 18 API calls 55764->55768 55767 47c4f4 22 API calls 55765->55767 55766->55765 55769 47c77a 55767->55769 55768->55756 55770 403450 18 API calls 55769->55770 55771 47c787 55770->55771 55772 47c7af 55771->55772 55773 42c3fc 19 API calls 55771->55773 55774 47c816 55772->55774 55777 47c4f4 22 API calls 55772->55777 55775 47c79d 55773->55775 55776 47c8de 55774->55776 55782 47c836 SHGetKnownFolderPath 55774->55782 55781 4035c0 18 API calls 55775->55781 55779 47c8e7 55776->55779 55780 47c908 55776->55780 55778 47c7c7 55777->55778 55783 403450 18 API calls 55778->55783 55784 42c3fc 19 API calls 55779->55784 55785 42c3fc 19 API calls 55780->55785 55781->55772 55786 47c850 55782->55786 55787 47c88b SHGetKnownFolderPath 55782->55787 55789 47c7d4 55783->55789 55791 47c8f4 55784->55791 55792 47c915 55785->55792 56031 403ba4 21 API calls 55786->56031 55787->55776 55790 47c8a5 55787->55790 55794 47c7e7 55789->55794 56029 453344 18 API calls 55789->56029 56032 403ba4 21 API calls 55790->56032 55796 4035c0 18 API calls 55791->55796 55797 4035c0 18 API calls 55792->55797 55793 47c86b CoTaskMemFree 55793->55639 55801 47c4f4 22 API calls 55794->55801 55798 47c906 55796->55798 55797->55798 56012 47c5d8 55798->56012 55800 47c8c0 CoTaskMemFree 55800->55639 55803 47c7f6 55801->55803 55805 403450 18 API calls 55803->55805 55807 47c803 55805->55807 55806 403400 4 API calls 55808 47c941 55806->55808 55807->55774 56030 453344 18 API calls 55807->56030 55808->55639 55811 47cb9c 55810->55811 55811->55811 56034 453a24 55811->56034 55814 403450 18 API calls 55815 47cbc9 55814->55815 55816 403494 4 API calls 55815->55816 55817 47cbd6 55816->55817 55818 40357c 18 API calls 55817->55818 55819 47cbe4 55818->55819 55820 457d10 38 API calls 55819->55820 55821 47cbec 55820->55821 55822 47cbff 55821->55822 56064 457508 20 API calls 55821->56064 55824 42c3fc 19 API calls 55822->55824 55825 47cc0c 55824->55825 55826 4035c0 18 API calls 55825->55826 55827 47cc1c 55826->55827 55828 47cc26 CreateDirectoryA 55827->55828 55829 47cc30 GetLastError 55828->55829 55851 47cc8c 55828->55851 55831 451458 18 API calls 55829->55831 55833 47cc48 55831->55833 55832 47cc99 55834 47ccc2 55832->55834 55838 4035c0 18 API calls 55832->55838 56065 406d68 33 API calls 55833->56065 55837 403420 4 API calls 55834->55837 55836 47cc58 55839 42e8c8 19 API calls 55836->55839 55840 47ccdc 55837->55840 55841 47ccaf 55838->55841 55842 47cc68 55839->55842 55843 403420 4 API calls 55840->55843 56059 47cb3c 55841->56059 55845 451428 18 API calls 55842->55845 55846 47cce9 55843->55846 55849 47cc7d 55845->55849 55852 47ce78 55846->55852 55847 47ccba 56067 458450 18 API calls 55847->56067 56066 408c0c 18 API calls 55849->56066 56052 458410 55851->56052 55853 42c3fc 19 API calls 55852->55853 55854 47cea4 55853->55854 55855 4035c0 18 API calls 55854->55855 55856 47ceb4 55855->55856 55857 47cb3c 39 API calls 55856->55857 55858 47cec1 55857->55858 56128 4525d8 55858->56128 55861 47ceda 55863 4525d8 44 API calls 55861->55863 55864 47cee7 55863->55864 55865 47cf20 55864->55865 55866 403494 4 API calls 55864->55866 55867 42e394 2 API calls 55865->55867 55866->55865 55868 47cf2f 55867->55868 55869 42e394 2 API calls 55868->55869 55870 47cf3c 55869->55870 55871 47cf6f GetProcAddress 55870->55871 55874 4078f4 33 API calls 55870->55874 55872 47cf95 55871->55872 55873 47cf8b 55871->55873 55876 403400 4 API calls 55872->55876 56133 453344 18 API calls 55873->56133 55877 47cf67 55874->55877 55878 47cfaa 55876->55878 56132 453344 18 API calls 55877->56132 55880 403400 4 API calls 55878->55880 55881 47cfb2 55880->55881 55881->55644 55990 47f738 45 API calls 55881->55990 55883 42c3fc 19 API calls 55882->55883 55884 47f8fc 55883->55884 55885 4035c0 18 API calls 55884->55885 55886 47f90c 55885->55886 55887 47ca60 35 API calls 55886->55887 55888 47f91a 55887->55888 55889 42e394 2 API calls 55888->55889 55890 47f932 55889->55890 55903 4502d3 GetVersion 55902->55903 55904 45037c 55902->55904 55903->55904 55905 4502e6 LoadLibraryA 55903->55905 55904->55654 55905->55904 55906 4502fe 6 API calls 55905->55906 55906->55904 55908 47fc81 55907->55908 55909 47fcbc 55908->55909 55910 47fcac 55908->55910 55909->55651 56151 47e758 6 API calls 55910->56151 55913 494b5a 55912->55913 55982->55618 55984->55619 55985->55615 55986->55616 55987->55628 55988->55630 55989->55630 55990->55644 56002 42de1c RegOpenKeyExA 56001->56002 56003 47c51a 56002->56003 56004 47c540 56003->56004 56005 47c51e 56003->56005 56006 403400 4 API calls 56004->56006 56007 42dd4c 20 API calls 56005->56007 56008 47c547 56006->56008 56009 47c52a 56007->56009 56008->55761 56010 47c535 RegCloseKey 56009->56010 56011 403400 4 API calls 56009->56011 56010->56008 56011->56010 56013 47c5e6 56012->56013 56014 42de1c RegOpenKeyExA 56013->56014 56015 47c60e 56014->56015 56016 47c63f 56015->56016 56017 42dd4c 20 API calls 56015->56017 56016->55806 56018 47c624 56017->56018 56019 42dd4c 20 API calls 56018->56019 56020 47c636 RegCloseKey 56019->56020 56020->56016 56022 4038a4 18 API calls 56021->56022 56023 42d21b 56022->56023 56024 42d232 GetEnvironmentVariableA 56023->56024 56028 42d245 56023->56028 56033 42dbd0 18 API calls 56023->56033 56024->56023 56025 42d23e 56024->56025 56026 403400 4 API calls 56025->56026 56026->56028 56028->55755 56029->55794 56030->55774 56031->55793 56032->55800 56033->56023 56037 453a44 56034->56037 56036 4537b0 25 API calls 56036->56037 56037->56036 56038 453a69 CreateDirectoryA 56037->56038 56043 451458 18 API calls 56037->56043 56049 42e8c8 19 API calls 56037->56049 56050 451428 18 API calls 56037->56050 56068 42da18 56037->56068 56091 406d68 33 API calls 56037->56091 56092 408c0c 18 API calls 56037->56092 56039 453ae1 56038->56039 56040 453a73 GetLastError 56038->56040 56041 403494 4 API calls 56039->56041 56040->56037 56042 453aeb 56041->56042 56044 403420 4 API calls 56042->56044 56043->56037 56045 453b05 56044->56045 56047 403420 4 API calls 56045->56047 56048 453b12 56047->56048 56048->55814 56049->56037 56050->56037 56053 45841c 56052->56053 56054 45842a 56052->56054 56056 403494 4 API calls 56053->56056 56055 403400 4 API calls 56054->56055 56057 458431 56055->56057 56058 458428 56056->56058 56057->55832 56058->55832 56060 40cf4c 37 API calls 56059->56060 56061 47cb58 56060->56061 56093 47ca60 56061->56093 56063 47cb73 56063->55847 56064->55822 56065->55836 56066->55851 56067->55834 56069 42d208 19 API calls 56068->56069 56070 42da3e 56069->56070 56071 42da4a 56070->56071 56072 42cd48 21 API calls 56070->56072 56073 42d208 19 API calls 56071->56073 56075 42da96 56071->56075 56072->56071 56074 42da5a 56073->56074 56076 42da66 56074->56076 56078 42cd48 21 API calls 56074->56078 56077 42c804 19 API calls 56075->56077 56076->56075 56081 42d208 19 API calls 56076->56081 56087 42da8b 56076->56087 56080 42daa0 56077->56080 56078->56076 56079 42d898 GetWindowsDirectoryA 56079->56075 56082 42c3fc 19 API calls 56080->56082 56083 42da7f 56081->56083 56084 42daab 56082->56084 56086 42cd48 21 API calls 56083->56086 56083->56087 56085 403494 4 API calls 56084->56085 56088 42dab5 56085->56088 56086->56087 56087->56075 56087->56079 56089 403420 4 API calls 56088->56089 56090 42dacf 56089->56090 56090->56037 56091->56037 56092->56037 56100 40cda0 56093->56100 56095 47ca95 56096 403420 4 API calls 56095->56096 56097 47cb25 56096->56097 56098 403400 4 API calls 56097->56098 56099 47cb2d 56098->56099 56099->56063 56105 40cc50 56100->56105 56102 40cdba 56117 40cd88 56102->56117 56104 40cdd5 56104->56095 56106 40cc5d 56105->56106 56107 40cc79 56106->56107 56108 40ccae 56106->56108 56121 406ec0 56107->56121 56125 406e80 CreateFileA 56108->56125 56111 40cc80 56114 40cca7 56111->56114 56124 408d2c 33 API calls 56111->56124 56112 40ccb8 56112->56114 56126 408d2c 33 API calls 56112->56126 56114->56102 56116 40ccdf 56116->56114 56118 40cd90 56117->56118 56119 40cd9c 56117->56119 56127 40cab8 19 API calls 56118->56127 56119->56104 56122 403738 56121->56122 56123 406edc CreateFileA 56122->56123 56123->56111 56124->56114 56125->56112 56126->56116 56127->56119 56134 452510 56128->56134 56130 4525e5 56130->55861 56131 453344 18 API calls 56130->56131 56131->55861 56132->55871 56133->55872 56135 403738 56134->56135 56136 45252d 754B1520 56135->56136 56137 4525b2 56136->56137 56138 45253b 56136->56138 56140 4525c5 56137->56140 56147 452334 41 API calls 56137->56147 56139 402648 18 API calls 56138->56139 56141 452542 754B1500 56139->56141 56140->56130 56143 452580 56141->56143 56144 452566 754B1540 56141->56144 56145 402660 4 API calls 56143->56145 56144->56143 56146 4525aa 56145->56146 56146->56130 56147->56140 56151->55909
                                                                                Strings
                                                                                • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                • -- File entry --, xrefs: 004706FB
                                                                                • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                • Installing into GAC, xrefs: 00471714
                                                                                • Version of existing file: (none), xrefs: 00470CFA
                                                                                • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                • InUn, xrefs: 0047115F
                                                                                • Stripped read-only attribute., xrefs: 00470EC7
                                                                                • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                • @, xrefs: 004707B0
                                                                                • Time stamp of our file: %s, xrefs: 0047099B
                                                                                • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                • Dest filename: %s, xrefs: 00470894
                                                                                • 2q, xrefs: 00470746
                                                                                • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                • Installing the file., xrefs: 00470F09
                                                                                • Will register the file (a type library) later., xrefs: 00471513
                                                                                • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                • Dest file exists., xrefs: 004709BB
                                                                                • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                • Same version. Skipping., xrefs: 00470CE5
                                                                                • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                • Version of our file: (none), xrefs: 00470AFC
                                                                                • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                • Same time stamp. Skipping., xrefs: 00470D55
                                                                                • .tmp, xrefs: 00470FB7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $-- File entry --$.tmp$2q$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                • API String ID: 0-4149113355
                                                                                • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1381 42e09c-42e0ad 1382 42e0b8-42e0dd AllocateAndInitializeSid 1381->1382 1383 42e0af-42e0b3 1381->1383 1384 42e0e3-42e100 GetVersion 1382->1384 1385 42e287-42e28f 1382->1385 1383->1385 1386 42e102-42e117 GetModuleHandleA GetProcAddress 1384->1386 1387 42e119-42e11b 1384->1387 1386->1387 1388 42e142-42e15c GetCurrentThread OpenThreadToken 1387->1388 1389 42e11d-42e12b CheckTokenMembership 1387->1389 1392 42e193-42e1bb GetTokenInformation 1388->1392 1393 42e15e-42e168 GetLastError 1388->1393 1390 42e131-42e13d 1389->1390 1391 42e269-42e27f FreeSid 1389->1391 1390->1391 1396 42e1d6-42e1fa call 402648 GetTokenInformation 1392->1396 1397 42e1bd-42e1c5 GetLastError 1392->1397 1394 42e174-42e187 GetCurrentProcess OpenProcessToken 1393->1394 1395 42e16a-42e16f call 4031bc 1393->1395 1394->1392 1401 42e189-42e18e call 4031bc 1394->1401 1395->1385 1407 42e208-42e210 1396->1407 1408 42e1fc-42e206 call 4031bc * 2 1396->1408 1397->1396 1398 42e1c7-42e1d1 call 4031bc * 2 1397->1398 1398->1385 1401->1385 1412 42e212-42e213 1407->1412 1413 42e243-42e261 call 402660 CloseHandle 1407->1413 1408->1385 1417 42e215-42e228 EqualSid 1412->1417 1418 42e22a-42e237 1417->1418 1419 42e23f-42e241 1417->1419 1418->1419 1422 42e239-42e23d 1418->1422 1419->1413 1419->1417 1422->1413
                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                • String ID: CheckTokenMembership$advapi32.dll
                                                                                • API String ID: 2252812187-1888249752
                                                                                • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1445 4502c0-4502cd 1446 4502d3-4502e0 GetVersion 1445->1446 1447 45037c-450386 1445->1447 1446->1447 1448 4502e6-4502fc LoadLibraryA 1446->1448 1448->1447 1449 4502fe-450377 GetProcAddress * 6 1448->1449 1449->1447
                                                                                APIs
                                                                                • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmStartSession), ref: 00450309
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmRegisterResources), ref: 0045031E
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmGetList), ref: 00450333
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmShutdown), ref: 00450348
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmRestart), ref: 0045035D
                                                                                • GetProcAddress.KERNEL32(6ECE0000,RmEndSession), ref: 00450372
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadVersion
                                                                                • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                • API String ID: 1968650500-3419246398
                                                                                • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1593 423c0c-423c40 1594 423c42-423c43 1593->1594 1595 423c74-423c8b call 423b68 1593->1595 1596 423c45-423c61 call 40b24c 1594->1596 1601 423cec-423cf1 1595->1601 1602 423c8d 1595->1602 1624 423c63-423c6b 1596->1624 1625 423c70-423c72 1596->1625 1603 423cf3 1601->1603 1604 423d27-423d2c 1601->1604 1605 423c93-423c96 1602->1605 1606 423d50-423d60 1602->1606 1612 423fb1-423fb9 1603->1612 1613 423cf9-423d01 1603->1613 1607 423d32-423d35 1604->1607 1608 42409a-4240a8 IsIconic 1604->1608 1614 423cc5-423cc8 1605->1614 1615 423c98 1605->1615 1610 423d62-423d67 1606->1610 1611 423d6b-423d73 call 424194 1606->1611 1618 4240d6-4240eb call 424850 1607->1618 1619 423d3b-423d3c 1607->1619 1620 424152-42415a 1608->1620 1629 4240ae-4240b9 GetFocus 1608->1629 1626 423d78-423d80 call 4241dc 1610->1626 1627 423d69-423d8c call 423b84 1610->1627 1611->1620 1612->1620 1621 423fbf-423fca call 4181e0 1612->1621 1630 423f13-423f3a SendMessageA 1613->1630 1631 423d07-423d0c 1613->1631 1622 423da9-423db0 1614->1622 1623 423cce-423ccf 1614->1623 1616 423df6-423e06 call 423b84 1615->1616 1617 423c9e-423ca1 1615->1617 1616->1620 1640 423ca7-423caa 1617->1640 1641 423e1e-423e3a PostMessageA call 423b84 1617->1641 1618->1620 1634 423d42-423d45 1619->1634 1635 4240ed-4240f4 1619->1635 1633 424171-424177 1620->1633 1621->1620 1683 423fd0-423fdf call 4181e0 IsWindowEnabled 1621->1683 1622->1620 1644 423db6-423dbd 1622->1644 1645 423cd5-423cd8 1623->1645 1646 423f3f-423f46 1623->1646 1624->1633 1625->1595 1625->1596 1626->1620 1627->1620 1629->1620 1639 4240bf-4240c8 call 41eff4 1629->1639 1630->1620 1647 423d12-423d13 1631->1647 1648 42404a-424055 1631->1648 1650 424120-424127 1634->1650 1651 423d4b 1634->1651 1661 4240f6-424109 call 4244d4 1635->1661 1662 42410b-42411e call 42452c 1635->1662 1639->1620 1695 4240ce-4240d4 SetFocus 1639->1695 1658 423cb0-423cb3 1640->1658 1659 423ea5-423eac 1640->1659 1641->1620 1644->1620 1664 423dc3-423dc9 1644->1664 1665 423cde-423ce1 1645->1665 1666 423e3f-423e5f call 423b84 1645->1666 1646->1620 1654 423f4c-423f51 call 404e54 1646->1654 1667 424072-42407d 1647->1667 1668 423d19-423d1c 1647->1668 1648->1620 1652 42405b-42406d 1648->1652 1687 42413a-424149 1650->1687 1688 424129-424138 1650->1688 1671 42414b-42414c call 423b84 1651->1671 1652->1620 1654->1620 1678 423cb9-423cba 1658->1678 1679 423dce-423ddc IsIconic 1658->1679 1680 423eae-423ec1 call 423b14 1659->1680 1681 423edf-423ef0 call 423b84 1659->1681 1661->1620 1662->1620 1664->1620 1684 423ce7 1665->1684 1685 423e0b-423e19 call 424178 1665->1685 1712 423e83-423ea0 call 423a84 PostMessageA 1666->1712 1713 423e61-423e7e call 423b14 PostMessageA 1666->1713 1667->1620 1672 424083-424095 1667->1672 1669 423d22 1668->1669 1670 423f56-423f5e 1668->1670 1669->1671 1670->1620 1693 423f64-423f6b 1670->1693 1708 424151 1671->1708 1672->1620 1696 423cc0 1678->1696 1697 423d91-423d99 1678->1697 1703 423dea-423df1 call 423b84 1679->1703 1704 423dde-423de5 call 423bc0 1679->1704 1725 423ed3-423eda call 423b84 1680->1725 1726 423ec3-423ecd call 41ef58 1680->1726 1719 423ef2-423ef8 call 41eea4 1681->1719 1720 423f06-423f0e call 423a84 1681->1720 1683->1620 1727 423fe5-423ff4 call 4181e0 IsWindowVisible 1683->1727 1684->1671 1685->1620 1687->1620 1688->1620 1693->1620 1711 423f71-423f80 call 4181e0 IsWindowEnabled 1693->1711 1695->1620 1696->1671 1697->1620 1714 423d9f-423da4 call 422c4c 1697->1714 1703->1620 1704->1620 1708->1620 1711->1620 1740 423f86-423f9c call 412310 1711->1740 1712->1620 1713->1620 1714->1620 1738 423efd-423f00 1719->1738 1720->1620 1725->1620 1726->1725 1727->1620 1745 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1727->1745 1738->1720 1740->1620 1749 423fa2-423fac 1740->1749 1745->1620 1749->1620
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1936 4673a4-4673ba 1937 4673c4-46747b call 49577c call 402b30 * 6 1936->1937 1938 4673bc-4673bf call 402d30 1936->1938 1955 46747d-4674a4 call 41463c 1937->1955 1956 4674b8-4674d1 1937->1956 1938->1937 1960 4674a6 1955->1960 1961 4674a9-4674b3 call 4145fc 1955->1961 1962 4674d3-4674fa call 41461c 1956->1962 1963 46750e-46751c call 495a84 1956->1963 1960->1961 1961->1956 1971 4674ff-467509 call 4145dc 1962->1971 1972 4674fc 1962->1972 1969 46751e-46752d call 4958cc 1963->1969 1970 46752f-467531 call 4959f0 1963->1970 1977 467536-467589 call 4953e0 call 41a3d0 * 2 1969->1977 1970->1977 1971->1963 1972->1971 1984 46759a-4675af call 451458 call 414b18 1977->1984 1985 46758b-467598 call 414b18 1977->1985 1990 4675b4-4675bb 1984->1990 1985->1990 1992 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 1990->1992 1993 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 1990->1993 2123 467ae5-467afe call 414a44 * 2 1992->2123 2124 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 1992->2124 1993->1992 2131 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2123->2131 2124->2131 2150 467bb6-467bd1 2131->2150 2151 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2131->2151 2152 467bd6-467be9 call 4145fc 2150->2152 2153 467bd3 2150->2153 2212 467e26-467e2f 2151->2212 2213 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2151->2213 2152->2151 2153->2152 2212->2213 2214 467e31-467e60 call 414a44 call 466b40 2212->2214 2231 467f20-467f3b 2213->2231 2232 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2213->2232 2214->2213 2233 467f40-467f53 call 4145fc 2231->2233 2234 467f3d 2231->2234 2331 46839d-4683a4 2232->2331 2332 46837b-468398 call 44ffdc call 450138 2232->2332 2233->2232 2234->2233 2333 4683a6-4683c3 call 44ffdc call 450138 2331->2333 2334 4683c8-4683cf 2331->2334 2332->2331 2333->2334 2338 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2334->2338 2339 4683d1-4683ee call 44ffdc call 450138 2334->2339 2352 468453 2338->2352 2353 46843b-468442 2338->2353 2339->2338 2356 468455-468464 2352->2356 2354 468444-46844d 2353->2354 2355 46844f-468451 2353->2355 2354->2352 2354->2355 2355->2356 2357 468466-46846d 2356->2357 2358 46847e 2356->2358 2359 46846f-468478 2357->2359 2360 46847a-46847c 2357->2360 2361 468480-46849a 2358->2361 2359->2358 2359->2360 2360->2361 2362 468543-46854a 2361->2362 2363 4684a0-4684a9 2361->2363 2364 468550-468573 call 47c26c call 403450 2362->2364 2365 4685dd-4685eb call 414b18 2362->2365 2366 468504-46853e call 414b18 * 3 2363->2366 2367 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2363->2367 2389 468584-468598 call 403494 2364->2389 2390 468575-468582 call 47c440 2364->2390 2374 4685f0-4685f9 2365->2374 2366->2362 2367->2362 2378 4685ff-468617 call 429fd8 2374->2378 2379 468709-468738 call 42b96c call 44e83c 2374->2379 2396 46868e-468692 2378->2396 2397 468619-46861d 2378->2397 2406 4687e6-4687ea 2379->2406 2407 46873e-468742 2379->2407 2411 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2389->2411 2412 46859a-4685a5 call 403494 2389->2412 2390->2411 2402 468694-46869d 2396->2402 2403 4686e2-4686e6 2396->2403 2404 46861f-468659 call 40b24c call 47c26c 2397->2404 2402->2403 2413 46869f-4686aa 2402->2413 2409 4686fa-468704 call 42a05c 2403->2409 2410 4686e8-4686f8 call 42a05c 2403->2410 2464 46865b-468662 2404->2464 2465 468688-46868c 2404->2465 2418 4687ec-4687f3 2406->2418 2419 468869-46886d 2406->2419 2417 468744-468756 call 40b24c 2407->2417 2409->2379 2410->2379 2411->2374 2412->2411 2413->2403 2415 4686ac-4686b0 2413->2415 2425 4686b2-4686d5 call 40b24c call 406ac4 2415->2425 2444 468788-4687bf call 47c26c call 44cb0c 2417->2444 2445 468758-468786 call 47c26c call 44cbdc 2417->2445 2418->2419 2428 4687f5-4687fc 2418->2428 2429 4688d6-4688df 2419->2429 2430 46886f-468886 call 40b24c 2419->2430 2474 4686d7-4686da 2425->2474 2475 4686dc-4686e0 2425->2475 2428->2419 2439 4687fe-468809 2428->2439 2437 4688e1-4688f9 call 40b24c call 4699fc 2429->2437 2438 4688fe-468913 call 466ee0 call 466c5c 2429->2438 2457 4688c6-4688d4 call 4699fc 2430->2457 2458 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2430->2458 2437->2438 2489 468965-46896f call 414a44 2438->2489 2490 468915-468938 call 42a040 call 40b24c 2438->2490 2439->2438 2447 46880f-468813 2439->2447 2482 4687c4-4687c8 2444->2482 2445->2482 2456 468815-46882b call 40b24c 2447->2456 2486 46885e-468862 2456->2486 2487 46882d-468859 call 42a05c call 4699fc call 46989c 2456->2487 2457->2438 2458->2438 2464->2465 2476 468664-468676 call 406ac4 2464->2476 2465->2396 2465->2404 2474->2403 2475->2403 2475->2425 2476->2465 2501 468678-468682 2476->2501 2492 4687d3-4687d5 2482->2492 2493 4687ca-4687d1 2482->2493 2486->2456 2494 468864 2486->2494 2487->2438 2502 468974-468993 call 414a44 2489->2502 2518 468943-468952 call 414a44 2490->2518 2519 46893a-468941 2490->2519 2500 4687dc-4687e0 2492->2500 2493->2492 2493->2500 2494->2438 2500->2406 2500->2417 2501->2465 2506 468684 2501->2506 2514 468995-4689b8 call 42a040 call 469b5c 2502->2514 2515 4689bd-4689e0 call 47c26c call 403450 2502->2515 2506->2465 2514->2515 2533 4689e2-4689eb 2515->2533 2534 4689fc-468a05 2515->2534 2518->2502 2519->2518 2523 468954-468963 call 414a44 2519->2523 2523->2502 2533->2534 2535 4689ed-4689fa call 47c440 2533->2535 2536 468a07-468a19 call 403684 2534->2536 2537 468a1b-468a2b call 403494 2534->2537 2545 468a3d-468a54 call 414b18 2535->2545 2536->2537 2544 468a2d-468a38 call 403494 2536->2544 2537->2545 2544->2545 2549 468a56-468a5d 2545->2549 2550 468a8a-468a94 call 414a44 2545->2550 2552 468a5f-468a68 2549->2552 2553 468a6a-468a74 call 42b0e4 2549->2553 2554 468a99-468abe call 403400 * 3 2550->2554 2552->2553 2555 468a79-468a88 call 414a44 2552->2555 2553->2555 2555->2554
                                                                                APIs
                                                                                  • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                  • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                  • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                  • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                  • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                  • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                  • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                  • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                  • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                  • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                  • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                  • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                  • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021FFC1C,0220197C,?,?,022019AC,?,?,022019FC,?), ref: 004683FD
                                                                                • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                  • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                • String ID: $(Default)$STOPIMAGE$%H
                                                                                • API String ID: 3231140908-2624782221
                                                                                • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID: unins$unins???.*
                                                                                • API String ID: 3541575487-1009660736
                                                                                • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileFindFirstLast
                                                                                • String ID:
                                                                                • API String ID: 873889042-0
                                                                                • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                                • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstanceVersion
                                                                                • String ID:
                                                                                • API String ID: 1462612201-0
                                                                                • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID:
                                                                                • API String ID: 2645101109-0
                                                                                • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 897 46f2e4-46f309 call 40b24c call 46ee44 895->897 898 46f2a5-46f2e3 call 46ee44 * 3 895->898 919 46f30b-46f316 call 47c26c 897->919 920 46f318-46f321 call 403494 897->920 898->897 927 46f326-46f331 call 478e04 919->927 920->927 934 46f333-46f338 927->934 935 46f33a 927->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1042 46f67d 1032->1042 1033->1032 1037 46f659-46f65d 1033->1037 1037->1020 1037->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                                                APIs
                                                                                  • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                  • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Value$Close
                                                                                • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                • API String ID: 3391052094-3342197833
                                                                                • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1424 483a7c-483aa1 GetModuleHandleA GetProcAddress 1425 483b08-483b0d GetSystemInfo 1424->1425 1426 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1424->1426 1427 483b12-483b1b 1425->1427 1426->1427 1428 483abb-483ac6 GetCurrentProcess 1426->1428 1429 483b2b-483b32 1427->1429 1430 483b1d-483b21 1427->1430 1428->1427 1437 483ac8-483acc 1428->1437 1433 483b4d-483b52 1429->1433 1431 483b23-483b27 1430->1431 1432 483b34-483b3b 1430->1432 1435 483b29-483b46 1431->1435 1436 483b3d-483b44 1431->1436 1432->1433 1435->1433 1436->1433 1437->1427 1438 483ace-483ad5 call 45271c 1437->1438 1438->1427 1442 483ad7-483ae4 GetProcAddress 1438->1442 1442->1427 1443 483ae6-483afd GetModuleHandleA GetProcAddress 1442->1443 1443->1427 1444 483aff-483b06 1443->1444 1444->1427
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                • API String ID: 2230631259-2623177817
                                                                                • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1450 468d88-468dc0 call 47c26c 1453 468dc6-468dd6 call 478e24 1450->1453 1454 468fa2-468fbc call 403420 1450->1454 1459 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1453->1459 1465 468e25-468e27 1459->1465 1466 468e2d-468e42 1465->1466 1467 468f98-468f9c 1465->1467 1468 468e57-468e5e 1466->1468 1469 468e44-468e52 call 42dd4c 1466->1469 1467->1454 1467->1459 1471 468e60-468e82 call 42dd4c call 42dd64 1468->1471 1472 468e8b-468e92 1468->1472 1469->1468 1471->1472 1493 468e84 1471->1493 1473 468e94-468eb9 call 42dd4c * 2 1472->1473 1474 468eeb-468ef2 1472->1474 1496 468ebb-468ec4 call 4314f8 1473->1496 1497 468ec9-468edb call 42dd4c 1473->1497 1478 468ef4-468f06 call 42dd4c 1474->1478 1479 468f38-468f3f 1474->1479 1489 468f16-468f28 call 42dd4c 1478->1489 1490 468f08-468f11 call 4314f8 1478->1490 1481 468f41-468f75 call 42dd4c * 3 1479->1481 1482 468f7a-468f90 RegCloseKey 1479->1482 1481->1482 1489->1479 1503 468f2a-468f33 call 4314f8 1489->1503 1490->1489 1493->1472 1496->1497 1497->1474 1507 468edd-468ee6 call 4314f8 1497->1507 1503->1479 1507->1474
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                Strings
                                                                                • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                • %s\%s_is1, xrefs: 00468E05
                                                                                • Inno Setup: No Icons, xrefs: 00468E73
                                                                                • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                • Inno Setup: App Path, xrefs: 00468E4A
                                                                                • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                • API String ID: 47109696-1093091907
                                                                                • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                  • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                  • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                  • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                • API String ID: 3771764029-544719455
                                                                                • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1752 423874-42387e 1753 4239a7-4239ab 1752->1753 1754 423884-4238a6 call 41f3c4 GetClassInfoA 1752->1754 1757 4238d7-4238e0 GetSystemMetrics 1754->1757 1758 4238a8-4238bf RegisterClassA 1754->1758 1759 4238e2 1757->1759 1760 4238e5-4238ef GetSystemMetrics 1757->1760 1758->1757 1761 4238c1-4238d2 call 408cbc call 40311c 1758->1761 1759->1760 1762 4238f1 1760->1762 1763 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1760->1763 1761->1757 1762->1763 1775 423952-423965 call 424178 SendMessageA 1763->1775 1776 42396a-423998 GetSystemMenu DeleteMenu * 2 1763->1776 1775->1776 1776->1753 1777 42399a-4239a2 DeleteMenu 1776->1777 1777->1753
                                                                                APIs
                                                                                  • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                • String ID: |6B
                                                                                • API String ID: 183575631-3009739247
                                                                                • Opcode ID: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                • Opcode Fuzzy Hash: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1891 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1900 47ced0-47ced5 call 453344 1891->1900 1901 47ceda-47cee9 call 4525d8 1891->1901 1900->1901 1905 47cf03-47cf09 1901->1905 1906 47ceeb-47cef1 1901->1906 1909 47cf20-47cf48 call 42e394 * 2 1905->1909 1910 47cf0b-47cf11 1905->1910 1907 47cf13-47cf1b call 403494 1906->1907 1908 47cef3-47cef9 1906->1908 1907->1909 1908->1905 1911 47cefb-47cf01 1908->1911 1917 47cf6f-47cf89 GetProcAddress 1909->1917 1918 47cf4a-47cf6a call 4078f4 call 453344 1909->1918 1910->1907 1910->1909 1911->1905 1911->1907 1919 47cf95-47cfb2 call 403400 * 2 1917->1919 1920 47cf8b-47cf90 call 453344 1917->1920 1918->1917 1920->1919
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(74210000,SHGetFolderPathA), ref: 0047CF7A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                • API String ID: 190572456-1343262939
                                                                                • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1929 40631c-406336 GetModuleHandleA GetProcAddress 1930 406338 1929->1930 1931 40633f-40634c GetProcAddress 1929->1931 1930->1931 1932 406355-406362 GetProcAddress 1931->1932 1933 40634e 1931->1933 1934 406364-406366 SetProcessDEPPolicy 1932->1934 1935 406368-406369 1932->1935 1933->1932 1934->1935
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModulePolicyProcess
                                                                                • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                • API String ID: 3256987805-3653653586
                                                                                • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                APIs
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$Prop
                                                                                • String ID: 3A$yA
                                                                                • API String ID: 3887896539-3278460822
                                                                                • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2697 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2706 46725f-46726a call 478e04 2697->2706 2707 46722c-467233 2697->2707 2712 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2706->2712 2713 4672bb-4672ce call 47d33c 2706->2713 2707->2706 2708 467235-46725a ExtractIconA call 4670c0 2707->2708 2708->2706 2735 4672b6 2712->2735 2719 4672d0-4672da call 47d33c 2713->2719 2720 4672df-4672e3 2713->2720 2719->2720 2723 4672e5-467308 call 403738 SHGetFileInfo 2720->2723 2724 46733d-467371 call 403400 * 2 2720->2724 2723->2724 2733 46730a-467311 2723->2733 2733->2724 2734 467313-467338 ExtractIconA call 4670c0 2733->2734 2734->2724 2735->2724
                                                                                APIs
                                                                                • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                  • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                  • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                • String ID: c:\directory$shell32.dll$%H
                                                                                • API String ID: 3376378930-166502273
                                                                                • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2739 42f560-42f56a 2740 42f574-42f5b1 call 402b30 GetActiveWindow GetFocus call 41eea4 2739->2740 2741 42f56c-42f56f call 402d30 2739->2741 2747 42f5c3-42f5cb 2740->2747 2748 42f5b3-42f5bd RegisterClassA 2740->2748 2741->2740 2749 42f652-42f66e SetFocus call 403400 2747->2749 2750 42f5d1-42f602 CreateWindowExA 2747->2750 2748->2747 2750->2749 2751 42f604-42f648 call 42427c call 403738 CreateWindowExA 2750->2751 2751->2749 2758 42f64a-42f64d ShowWindow 2751->2758 2758->2749
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 0042F58F
                                                                                • GetFocus.USER32 ref: 0042F597
                                                                                • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                • String ID: TWindowDisabler-Window
                                                                                • API String ID: 3167913817-1824977358
                                                                                • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                • API String ID: 1646373207-2130885113
                                                                                • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                APIs
                                                                                • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                • API String ID: 4130936913-2943970505
                                                                                • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                  • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                  • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                  • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                  • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                • API String ID: 854858120-615399546
                                                                                • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                APIs
                                                                                • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Char$FileIconLoadLowerModuleName
                                                                                • String ID: 2$MAINICON
                                                                                • API String ID: 3935243913-3181700818
                                                                                • Opcode ID: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                • Opcode Fuzzy Hash: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                  • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                  • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                  • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                  • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                  • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                  • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                  • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                  • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                  • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                  • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                  • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                  • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                  • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                • API String ID: 316262546-2767913252
                                                                                • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                APIs
                                                                                • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$Prop
                                                                                • String ID:
                                                                                • API String ID: 3887896539-0
                                                                                • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                Strings
                                                                                • WININIT.INI, xrefs: 004557E4
                                                                                • PendingFileRenameOperations2, xrefs: 00455784
                                                                                • PendingFileRenameOperations, xrefs: 00455754
                                                                                • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                • API String ID: 47109696-2199428270
                                                                                • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                • API String ID: 1375471231-2952887711
                                                                                • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                APIs
                                                                                • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnumLongWindows
                                                                                • String ID: \AB
                                                                                • API String ID: 4191631535-3948367934
                                                                                • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                APIs
                                                                                • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 0042DE50
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003), ref: 0042DE6B
                                                                                • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressDeleteHandleModuleProc
                                                                                • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                • API String ID: 588496660-1846899949
                                                                                • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                Strings
                                                                                • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                • NextButtonClick, xrefs: 0046BC4C
                                                                                • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                • API String ID: 0-2329492092
                                                                                • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveChangeNotifyWindow
                                                                                • String ID: $Need to restart Windows? %s
                                                                                • API String ID: 1160245247-4200181552
                                                                                • Opcode ID: ba5f16efbf0dbfb38810013a5ff400e29d778abd1c5f4a70b5438b3cc2cf9249
                                                                                • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                • Opcode Fuzzy Hash: ba5f16efbf0dbfb38810013a5ff400e29d778abd1c5f4a70b5438b3cc2cf9249
                                                                                • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                APIs
                                                                                  • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                • String ID: Creating directory: %s
                                                                                • API String ID: 2451617938-483064649
                                                                                • Opcode ID: 4e90ae3be4d00617aa2a0205853b4e8de3d2b048484072f4623b0078b04ad6be
                                                                                • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                • Opcode Fuzzy Hash: 4e90ae3be4d00617aa2a0205853b4e8de3d2b048484072f4623b0078b04ad6be
                                                                                • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressByteCharMultiProcWide
                                                                                • String ID: SfcIsFileProtected$sfc.dll
                                                                                • API String ID: 2508298434-591603554
                                                                                • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                APIs
                                                                                • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                • RegisterClassA.USER32(?), ref: 004164CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Class$InfoRegisterUnregister
                                                                                • String ID: @
                                                                                • API String ID: 3749476976-2766056989
                                                                                • Opcode ID: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                • Opcode Fuzzy Hash: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                APIs
                                                                                • 754B1520.VERSION(00000000,?,?,?,?), ref: 00452530
                                                                                • 754B1500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,?), ref: 0045255D
                                                                                • 754B1540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,?), ref: 00452577
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: B1500B1520B1540
                                                                                • String ID: %E
                                                                                • API String ID: 624677603-175436132
                                                                                • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0044B401
                                                                                • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectReleaseSelect
                                                                                • String ID: %H
                                                                                • API String ID: 1831053106-1959103961
                                                                                • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DrawText$ByteCharMultiWide
                                                                                • String ID: %H
                                                                                • API String ID: 65125430-1959103961
                                                                                • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                APIs
                                                                                • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                • String ID: SHAutoComplete$shlwapi.dll
                                                                                • API String ID: 395431579-1506664499
                                                                                • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                Strings
                                                                                • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                • PendingFileRenameOperations, xrefs: 00455A40
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                • API String ID: 47109696-2115312317
                                                                                • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                APIs
                                                                                • GetMenu.USER32(00000000), ref: 00421361
                                                                                • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Menu
                                                                                • String ID:
                                                                                • API String ID: 3711407533-0
                                                                                • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                APIs
                                                                                • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Color$CallMessageProcSendTextWindow
                                                                                • String ID:
                                                                                • API String ID: 601730667-0
                                                                                • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042311E
                                                                                • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDeviceEnumFontsRelease
                                                                                • String ID:
                                                                                • API String ID: 2698912916-0
                                                                                • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 730355536-0
                                                                                • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                APIs
                                                                                  • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                Strings
                                                                                • NumRecs range exceeded, xrefs: 0045C396
                                                                                • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: File$BuffersFlush
                                                                                • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                • API String ID: 3593489403-659731555
                                                                                • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                APIs
                                                                                  • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                  • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                  • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                  • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                  • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                  • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                  • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                  • Part of subcall function 004063C4: 6FCB1CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                  • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                  • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                  • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                  • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                  • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                  • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                  • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                  • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                  • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                  • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                  • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                  • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                  • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                  • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                  • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                  • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                  • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                  • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                  • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                  • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                  • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                  • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                • String ID: Setup
                                                                                • API String ID: 504348408-3839654196
                                                                                • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: $=H
                                                                                • API String ID: 3660427363-3538597426
                                                                                • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID: .tmp
                                                                                • API String ID: 1375471231-2986845003
                                                                                • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                APIs
                                                                                  • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                  • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                  • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                  • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                  • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                  • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                  • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                • API String ID: 3869789854-2936008475
                                                                                • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                APIs
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: RegisteredOrganization$RegisteredOwner
                                                                                • API String ID: 3535843008-1113070880
                                                                                • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateErrorFileHandleLast
                                                                                • String ID: CreateFile
                                                                                • API String ID: 2528220319-823142352
                                                                                • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                • API String ID: 71445658-2565060666
                                                                                • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                APIs
                                                                                  • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                • API String ID: 2906209438-2320870614
                                                                                • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                APIs
                                                                                  • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                  • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorLibraryLoadModeProc
                                                                                • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                • API String ID: 2492108670-2683653824
                                                                                • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                APIs
                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 2574300362-0
                                                                                • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Append$System
                                                                                • String ID:
                                                                                • API String ID: 1489644407-0
                                                                                • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                APIs
                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                • TranslateMessage.USER32(?), ref: 0042448F
                                                                                • DispatchMessageA.USER32(?), ref: 00424499
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Message$DispatchPeekTranslate
                                                                                • String ID:
                                                                                • API String ID: 4217535847-0
                                                                                • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                APIs
                                                                                • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Prop$Window
                                                                                • String ID:
                                                                                • API String ID: 3363284559-0
                                                                                • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnableEnabledVisible
                                                                                • String ID:
                                                                                • API String ID: 3234591441-0
                                                                                • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow
                                                                                • String ID: PrepareToInstall
                                                                                • API String ID: 2558294473-1101760603
                                                                                • Opcode ID: 75512e466bef58792cd12b8f356129037ecdd83b0312336bfaeea67d77f2dd49
                                                                                • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                • Opcode Fuzzy Hash: 75512e466bef58792cd12b8f356129037ecdd83b0312336bfaeea67d77f2dd49
                                                                                • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: /:*?"<>|
                                                                                • API String ID: 0-4078764451
                                                                                • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                APIs
                                                                                • SetActiveWindow.USER32(?), ref: 00482676
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow
                                                                                • String ID: InitializeWizard
                                                                                • API String ID: 2558294473-2356795471
                                                                                • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                • API String ID: 47109696-1019749484
                                                                                • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                Strings
                                                                                • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: Inno Setup: Setup Version
                                                                                • API String ID: 3702945584-4166306022
                                                                                • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                APIs
                                                                                • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: NoModify
                                                                                • API String ID: 3702945584-1699962838
                                                                                • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                APIs
                                                                                • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                  • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                  • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                  • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                • SendNotifyMessageA.USER32(00010486,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                • String ID:
                                                                                • API String ID: 2649214853-0
                                                                                • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                  • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMetricsMultiSystemWide
                                                                                • String ID: /G
                                                                                • API String ID: 224039744-2088674125
                                                                                • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                  • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                  • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                  • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                  • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                • String ID:
                                                                                • API String ID: 296031713-0
                                                                                • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                APIs
                                                                                • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseEnum
                                                                                • String ID:
                                                                                • API String ID: 2818636725-0
                                                                                • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 2919029540-0
                                                                                • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindFree
                                                                                • String ID:
                                                                                • API String ID: 4097029671-0
                                                                                • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$CurrentEnumWindows
                                                                                • String ID:
                                                                                • API String ID: 2396873506-0
                                                                                • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                APIs
                                                                                • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastMove
                                                                                • String ID:
                                                                                • API String ID: 55378915-0
                                                                                • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                APIs
                                                                                • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectoryErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1375471231-0
                                                                                • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                APIs
                                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CursorLoad
                                                                                • String ID:
                                                                                • API String ID: 3238433803-0
                                                                                • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLibraryLoadMode
                                                                                • String ID:
                                                                                • API String ID: 2987862817-0
                                                                                • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                APIs
                                                                                • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                  • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$FilePointer
                                                                                • String ID:
                                                                                • API String ID: 1156039329-0
                                                                                • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                  • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                  • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                • String ID:
                                                                                • API String ID: 1658689577-0
                                                                                • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                APIs
                                                                                • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: InfoScroll
                                                                                • String ID:
                                                                                • API String ID: 629608716-0
                                                                                • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                APIs
                                                                                  • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                  • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                  • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                  • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                • String ID:
                                                                                • API String ID: 3319771486-0
                                                                                • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                APIs
                                                                                • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FormatMessage
                                                                                • String ID:
                                                                                • API String ID: 1306739567-0
                                                                                • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                APIs
                                                                                • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ExtentPointText
                                                                                • String ID:
                                                                                • API String ID: 566491939-0
                                                                                • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                APIs
                                                                                • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                APIs
                                                                                • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFind
                                                                                • String ID:
                                                                                • API String ID: 1863332320-0
                                                                                • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                APIs
                                                                                  • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                  • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem$ShowWindow
                                                                                • String ID:
                                                                                • API String ID: 3202724764-0
                                                                                • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                APIs
                                                                                • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: TextWindow
                                                                                • String ID:
                                                                                • API String ID: 530164218-0
                                                                                • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                APIs
                                                                                • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CallbackDispatcherUser
                                                                                • String ID:
                                                                                • API String ID: 2492992576-0
                                                                                • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                APIs
                                                                                • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                  • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 734332943-0
                                                                                • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                APIs
                                                                                • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory
                                                                                • String ID:
                                                                                • API String ID: 1611563598-0
                                                                                • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DestroyWindow
                                                                                • String ID:
                                                                                • API String ID: 3375834691-0
                                                                                • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1452528299-0
                                                                                • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 1263568516-0
                                                                                • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                • Instruction Fuzzy Hash:
                                                                                APIs
                                                                                • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                • API String ID: 2323315520-3614243559
                                                                                • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0045862F
                                                                                • QueryPerformanceCounter.KERNEL32(021E3858,00000000,004588C2,?,?,021E3858,00000000,?,00458FBE,?,021E3858,00000000), ref: 00458638
                                                                                • GetSystemTimeAsFileTime.KERNEL32(021E3858,021E3858), ref: 00458642
                                                                                • GetCurrentProcessId.KERNEL32(?,021E3858,00000000,004588C2,?,?,021E3858,00000000,?,00458FBE,?,021E3858,00000000), ref: 0045864B
                                                                                • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021E3858,021E3858), ref: 004586CF
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                • API String ID: 770386003-3271284199
                                                                                • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                APIs
                                                                                  • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021E2BD8,?,?,?,021E2BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                  • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                  • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD8,?,?,?,021E2BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                  • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD8,?,?,?,021E2BD8), ref: 004783CC
                                                                                  • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,021E2BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                  • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,021E2BD8,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                • API String ID: 883996979-221126205
                                                                                • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendShowWindow
                                                                                • String ID:
                                                                                • API String ID: 1631623395-0
                                                                                • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00418393
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                • GetWindowRect.USER32(?), ref: 004183CC
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                • String ID: ,
                                                                                • API String ID: 2266315723-3772416878
                                                                                • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 107509674-3733053543
                                                                                • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$CryptVersion
                                                                                • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                • API String ID: 1951258720-508647305
                                                                                • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$AttributesCloseFirstNext
                                                                                • String ID: isRS-$isRS-???.tmp
                                                                                • API String ID: 134685335-3422211394
                                                                                • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                APIs
                                                                                • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                Strings
                                                                                • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                • API String ID: 2236967946-3182603685
                                                                                • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                • API String ID: 1646373207-3712701948
                                                                                • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00417D0F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID: ,
                                                                                • API String ID: 568898626-3772416878
                                                                                • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseErrorFirstModeNext
                                                                                • String ID:
                                                                                • API String ID: 4011626565-0
                                                                                • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseErrorFirstModeNext
                                                                                • String ID:
                                                                                • API String ID: 4011626565-0
                                                                                • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                • String ID:
                                                                                • API String ID: 1177325624-0
                                                                                • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 0048397A
                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Show$IconicLong
                                                                                • String ID:
                                                                                • API String ID: 2754861897-0
                                                                                • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID:
                                                                                • API String ID: 3541575487-0
                                                                                • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 004241E4
                                                                                • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                  • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                  • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021E25AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveFocusIconicShow
                                                                                • String ID:
                                                                                • API String ID: 649377781-0
                                                                                • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 00417D0F
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Placement$Iconic
                                                                                • String ID:
                                                                                • API String ID: 568898626-0
                                                                                • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureIconic
                                                                                • String ID:
                                                                                • API String ID: 2277910766-0
                                                                                • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                APIs
                                                                                • IsIconic.USER32(?), ref: 0042419B
                                                                                  • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                  • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                  • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                  • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                  • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                • String ID:
                                                                                • API String ID: 2671590913-0
                                                                                • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: NtdllProc_Window
                                                                                • String ID:
                                                                                • API String ID: 4255912815-0
                                                                                • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                APIs
                                                                                • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CryptFour
                                                                                • String ID:
                                                                                • API String ID: 2153018856-0
                                                                                • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                APIs
                                                                                • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CryptFour
                                                                                • String ID:
                                                                                • API String ID: 2153018856-0
                                                                                • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3155070341.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000001.00000002.3155044300.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3155085428.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_10000000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3155070341.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                • Associated: 00000001.00000002.3155044300.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3155085428.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_10000000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                • Instruction Fuzzy Hash:
                                                                                APIs
                                                                                  • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoadVersion
                                                                                • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                • API String ID: 1968650500-2910565190
                                                                                • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0041CA40
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                  • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                • String ID:
                                                                                • API String ID: 269503290-0
                                                                                • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                Strings
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                • IPropertyStore::Commit, xrefs: 004568E3
                                                                                • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                • {pf32}\, xrefs: 0045671E
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                • IPersistFile::Save, xrefs: 00456962
                                                                                • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                • CoCreateInstance, xrefs: 004566AF
                                                                                • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstance$FreeString
                                                                                • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                • API String ID: 308859552-2363233914
                                                                                • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                APIs
                                                                                • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                  • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                • API String ID: 2000705611-3672972446
                                                                                • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0045A994), ref: 0045A846
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                • API String ID: 1452528299-3112430753
                                                                                • Opcode ID: 897371adc22cb023c4f91e5d84e86364b249416017dada323b4764b4a4f9f98f
                                                                                • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                • Opcode Fuzzy Hash: 897371adc22cb023c4f91e5d84e86364b249416017dada323b4764b4a4f9f98f
                                                                                • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                  • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                • API String ID: 59345061-4263478283
                                                                                • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                APIs
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                • GetDC.USER32(00000000), ref: 0041B402
                                                                                • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                • String ID:
                                                                                • API String ID: 644427674-0
                                                                                • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                APIs
                                                                                  • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                • API String ID: 971782779-3668018701
                                                                                • Opcode ID: ec03a6b44b0f4cd57b1805575295038081ef414545ebdff26f55f13b118b0783
                                                                                • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                • Opcode Fuzzy Hash: ec03a6b44b0f4cd57b1805575295038081ef414545ebdff26f55f13b118b0783
                                                                                • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,00454B0D,?,?,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                  • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                Strings
                                                                                • , xrefs: 004548FE
                                                                                • RegOpenKeyEx, xrefs: 00454910
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue$FormatMessageOpen
                                                                                • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                • API String ID: 2812809588-1577016196
                                                                                • Opcode ID: aec1327b0b0803e0d56dc0c3992fac0afe6f111b5b563ab43accc1af076cf8f5
                                                                                • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                • Opcode Fuzzy Hash: aec1327b0b0803e0d56dc0c3992fac0afe6f111b5b563ab43accc1af076cf8f5
                                                                                • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                APIs
                                                                                  • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                Strings
                                                                                • v4.0.30319, xrefs: 004594F1
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                • v1.1.4322, xrefs: 004595C2
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                • .NET Framework version %s not found, xrefs: 00459609
                                                                                • .NET Framework not found, xrefs: 0045961D
                                                                                • v2.0.50727, xrefs: 0045955B
                                                                                • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Close$Open
                                                                                • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                • API String ID: 2976201327-446240816
                                                                                • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                Strings
                                                                                • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                • Helper process exited., xrefs: 00458AC5
                                                                                • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                • API String ID: 3355656108-1243109208
                                                                                • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                APIs
                                                                                  • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                  • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                Strings
                                                                                • , xrefs: 004545B1
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                • RegCreateKeyEx, xrefs: 004545C3
                                                                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateFormatMessageQueryValue
                                                                                • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                • API String ID: 2481121983-1280779767
                                                                                • Opcode ID: f9c0919aa15cd1947ef757741bec092e2a41be70418b738709af356a648b502b
                                                                                • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                • Opcode Fuzzy Hash: f9c0919aa15cd1947ef757741bec092e2a41be70418b738709af356a648b502b
                                                                                • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                APIs
                                                                                  • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                  • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                  • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                • API String ID: 1549857992-2312673372
                                                                                • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressCloseHandleModuleProc
                                                                                • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                • API String ID: 4190037839-2312295185
                                                                                • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 004629FC
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                • API String ID: 2610873146-3407710046
                                                                                • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                APIs
                                                                                • GetActiveWindow.USER32 ref: 0042F194
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                • API String ID: 2610873146-3407710046
                                                                                • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,021E3858,00000000), ref: 00458C79
                                                                                • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                • String ID: CreateEvent$TransactNamedPipe
                                                                                • API String ID: 2182916169-3012584893
                                                                                • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85), ref: 00456D48
                                                                                • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                • API String ID: 1914119943-2711329623
                                                                                • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                APIs
                                                                                • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                • SaveDC.GDI32(?), ref: 00416E27
                                                                                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                • DeleteObject.GDI32(?), ref: 00416F22
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                • String ID:
                                                                                • API String ID: 375863564-0
                                                                                • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                APIs
                                                                                • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Delete$EnableItem$System
                                                                                • String ID:
                                                                                • API String ID: 3985193851-0
                                                                                • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                • SendNotifyMessageA.USER32(00010486,00000496,00002710,00000000), ref: 00481A97
                                                                                Strings
                                                                                • Restarting Windows., xrefs: 00481A72
                                                                                • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                • Deinitializing Setup., xrefs: 00481872
                                                                                • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                • DeinitializeSetup, xrefs: 0048190D
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary$MessageNotifySend
                                                                                • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                • API String ID: 3817813901-1884538726
                                                                                • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                APIs
                                                                                • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                • GetActiveWindow.USER32 ref: 0046172B
                                                                                • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                • String ID: A
                                                                                • API String ID: 2684663990-3554254475
                                                                                • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                  • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                  • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                • API String ID: 884541143-1710247218
                                                                                • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                • API String ID: 190572456-3516654456
                                                                                • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                APIs
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Color$StretchText
                                                                                • String ID:
                                                                                • API String ID: 2984075790-0
                                                                                • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                APIs
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDirectoryHandleSystem
                                                                                • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                • API String ID: 2051275411-1862435767
                                                                                • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                APIs
                                                                                • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Text$Color$Draw$OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 1005981011-0
                                                                                • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041B745
                                                                                • GetDC.USER32(?), ref: 0041B751
                                                                                • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                • String ID: %H
                                                                                • API String ID: 3275473261-1959103961
                                                                                • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041BA17
                                                                                • GetDC.USER32(?), ref: 0041BA23
                                                                                • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                • String ID: %H
                                                                                • API String ID: 3275473261-1959103961
                                                                                • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                APIs
                                                                                  • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                  • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                Strings
                                                                                • Deleting Uninstall data files., xrefs: 004964FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                • String ID: Deleting Uninstall data files.
                                                                                • API String ID: 1570157960-2568741658
                                                                                • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                Strings
                                                                                • Failed to open Fonts registry key., xrefs: 00470281
                                                                                • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                • AddFontResource, xrefs: 004702B5
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                • API String ID: 955540645-649663873
                                                                                • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                APIs
                                                                                  • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                  • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                  • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                • GetVersion.KERNEL32 ref: 00462E60
                                                                                • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                • String ID: Explorer
                                                                                • API String ID: 2594429197-512347832
                                                                                • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,021E2BD8,?,?,?,021E2BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD8,?,?,?,021E2BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,021E2BD8,?,?,?,021E2BD8), ref: 004783CC
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,021E2BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                • API String ID: 2704155762-2318956294
                                                                                • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,00459F8E), ref: 00459ED2
                                                                                  • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                Strings
                                                                                • Stripped read-only attribute., xrefs: 00459E94
                                                                                • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                • Deleting directory: %s, xrefs: 00459E5B
                                                                                • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseErrorFindLast
                                                                                • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                • API String ID: 754982922-1448842058
                                                                                • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                APIs
                                                                                • GetCapture.USER32 ref: 00422EA4
                                                                                • GetCapture.USER32 ref: 00422EB3
                                                                                • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                • ReleaseCapture.USER32 ref: 00422EBE
                                                                                • GetActiveWindow.USER32 ref: 00422ECD
                                                                                • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                • GetActiveWindow.USER32 ref: 00422FBF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                • String ID:
                                                                                • API String ID: 862346643-0
                                                                                • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveLong$Message
                                                                                • String ID:
                                                                                • API String ID: 2785966331-0
                                                                                • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042948A
                                                                                • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                  • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                • String ID:
                                                                                • API String ID: 1583807278-0
                                                                                • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0041DE27
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                • String ID:
                                                                                • API String ID: 225703358-0
                                                                                • Opcode ID: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                • Opcode Fuzzy Hash: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                APIs
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$Load
                                                                                • String ID: $ $Internal error: Item already expanding
                                                                                • API String ID: 1675784387-1948079669
                                                                                • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                APIs
                                                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfileStringWrite
                                                                                • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                • API String ID: 390214022-3304407042
                                                                                • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                APIs
                                                                                • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ClassInfoLongMessageSendWindow
                                                                                • String ID: COMBOBOX$Inno Setup: Language
                                                                                • API String ID: 3391662889-4234151509
                                                                                • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                APIs
                                                                                • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                  • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                  • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocale$DefaultSystem
                                                                                • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 1044490935-665933166
                                                                                • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                APIs
                                                                                • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                  • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                  • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                • String ID: ,$?
                                                                                • API String ID: 2359071979-2308483597
                                                                                • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                APIs
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                • String ID:
                                                                                • API String ID: 1030595962-0
                                                                                • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                APIs
                                                                                • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                • String ID:
                                                                                • API String ID: 2222416421-0
                                                                                • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                  • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                  • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                  • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                • TranslateMessage.USER32(?), ref: 004573B3
                                                                                • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                • String ID: [Paused]
                                                                                • API String ID: 1007367021-4230553315
                                                                                • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                APIs
                                                                                • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$LoadSleep
                                                                                • String ID: CheckPassword
                                                                                • API String ID: 4023313301-1302249611
                                                                                • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                APIs
                                                                                  • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                  • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                  • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                Strings
                                                                                • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                • API String ID: 613034392-3771334282
                                                                                • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(?,CreateAssemblyCache), ref: 0045983F
                                                                                Strings
                                                                                • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                • CreateAssemblyCache, xrefs: 00459836
                                                                                • Fusion.dll, xrefs: 004597DF
                                                                                • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                • API String ID: 190572456-3990135632
                                                                                • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                APIs
                                                                                  • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                • GetFocus.USER32 ref: 0041C168
                                                                                • GetDC.USER32(?), ref: 0041C174
                                                                                • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                • String ID:
                                                                                • API String ID: 3303097818-0
                                                                                • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                • 6FC92980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                  • Part of subcall function 004107F8: 6FC8C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                • 6FCFCB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                • 6FCFC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                • 6FCFCB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                • 6FC90860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$C400C740C90860C92980
                                                                                • String ID:
                                                                                • API String ID: 992039177-0
                                                                                • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                • API String ID: 47109696-2530820420
                                                                                • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                APIs
                                                                                • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$Delete$Stretch
                                                                                • String ID:
                                                                                • API String ID: 1458357782-0
                                                                                • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 00495519
                                                                                  • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                Strings
                                                                                • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                • API String ID: 2948443157-222967699
                                                                                • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 004233AF
                                                                                • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                • SetCursor.USER32(00000000), ref: 00423413
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                • String ID:
                                                                                • API String ID: 1770779139-0
                                                                                • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                • API String ID: 667068680-2254406584
                                                                                • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc
                                                                                • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                • API String ID: 190572456-212574377
                                                                                • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                  • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                  • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                  • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                • API String ID: 142928637-2676053874
                                                                                • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                • API String ID: 2238633743-1050967733
                                                                                • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule
                                                                                • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                • API String ID: 667068680-222143506
                                                                                • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                APIs
                                                                                • GetFocus.USER32 ref: 0041B57E
                                                                                • GetDC.USER32(?), ref: 0041B58A
                                                                                • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                • String ID:
                                                                                • API String ID: 2502006586-0
                                                                                • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                APIs
                                                                                • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                • API String ID: 1452528299-1580325520
                                                                                • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDeviceMetricsSystem$Release
                                                                                • String ID:
                                                                                • API String ID: 447804332-0
                                                                                • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                • LocalFree.KERNEL32(0055E4A8,00000000,00401B68), ref: 00401ACF
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,0055E4A8,00000000,00401B68), ref: 00401AEE
                                                                                • LocalFree.KERNEL32(0055F4A8,?,00000000,00008000,0055E4A8,00000000,00401B68), ref: 00401B2D
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                • String ID:
                                                                                • API String ID: 3782394904-0
                                                                                • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                APIs
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$Show
                                                                                • String ID:
                                                                                • API String ID: 3609083571-0
                                                                                • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                APIs
                                                                                  • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                  • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                • String ID:
                                                                                • API String ID: 3527656728-0
                                                                                • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID: !nI$.tmp$_iu
                                                                                • API String ID: 3498533004-584216493
                                                                                • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                APIs
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                  • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                  • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                • String ID: .dat$.msg$IMsg$Uninstall
                                                                                • API String ID: 3312786188-1660910688
                                                                                • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                • API String ID: 828529508-2866557904
                                                                                • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                APIs
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                • API String ID: 2573145106-3235461205
                                                                                • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                • API String ID: 3478007392-2498399450
                                                                                • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                APIs
                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                • String ID: AllowSetForegroundWindow$user32.dll
                                                                                • API String ID: 1782028327-3855017861
                                                                                • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                APIs
                                                                                • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                • SaveDC.GDI32(?), ref: 00416C83
                                                                                • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                • String ID:
                                                                                • API String ID: 3808407030-0
                                                                                • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                • GetDC.USER32(00000000), ref: 0041BC12
                                                                                • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                • String ID:
                                                                                • API String ID: 1095203571-0
                                                                                • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                APIs
                                                                                  • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                Strings
                                                                                • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                • API String ID: 1452528299-4018462623
                                                                                • Opcode ID: 84f5240d3e2a5678dc298f5d2d5fcd3d219003d8bdc0b17d0e0e8e1e879b006c
                                                                                • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                • Opcode Fuzzy Hash: 84f5240d3e2a5678dc298f5d2d5fcd3d219003d8bdc0b17d0e0e8e1e879b006c
                                                                                • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocString
                                                                                • String ID:
                                                                                • API String ID: 262959230-0
                                                                                • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                APIs
                                                                                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Palette$RealizeSelect$Release
                                                                                • String ID:
                                                                                • API String ID: 2261976640-0
                                                                                • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                APIs
                                                                                  • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                  • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                  • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                  • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                  • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                  • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                  • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                  • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                • String ID: vLB
                                                                                • API String ID: 1477829881-1797516613
                                                                                • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                APIs
                                                                                • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Enum$NameOpenResourceUniversal
                                                                                • String ID: Z
                                                                                • API String ID: 3604996873-1505515367
                                                                                • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                APIs
                                                                                • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DrawText$EmptyRect
                                                                                • String ID:
                                                                                • API String ID: 182455014-2867612384
                                                                                • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                  • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                • String ID: ...\
                                                                                • API String ID: 3133960002-983595016
                                                                                • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                APIs
                                                                                • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: File$Attributes$Move
                                                                                • String ID: isRS-%.3u.tmp
                                                                                • API String ID: 3839737484-3657609586
                                                                                • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ExitMessageProcess
                                                                                • String ID: Error$Runtime error at 00000000
                                                                                • API String ID: 1220098344-2970929446
                                                                                • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                APIs
                                                                                  • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                  • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                  • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                • String ID: LoadTypeLib$RegisterTypeLib
                                                                                • API String ID: 1312246647-2435364021
                                                                                • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                Strings
                                                                                • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                • API String ID: 3850602802-3720027226
                                                                                • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                APIs
                                                                                  • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                • GetFocus.USER32 ref: 00478757
                                                                                • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FocusMessageStateTextWaitWindow
                                                                                • String ID: Wnd=$%x
                                                                                • API String ID: 1381870634-2927251529
                                                                                • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                APIs
                                                                                • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Time$File$LocalSystem
                                                                                • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                • API String ID: 1748579591-1013271723
                                                                                • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                  • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                  • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: File$AttributesDeleteErrorLastMove
                                                                                • String ID: DeleteFile$MoveFile
                                                                                • API String ID: 3024442154-139070271
                                                                                • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                • API String ID: 47109696-2631785700
                                                                                • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                Strings
                                                                                • CSDVersion, xrefs: 00483BFC
                                                                                • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                • API String ID: 3677997916-1910633163
                                                                                • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                • API String ID: 1646373207-4063490227
                                                                                • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                • API String ID: 1646373207-260599015
                                                                                • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: NotifyWinEvent$user32.dll
                                                                                • API String ID: 1646373207-597752486
                                                                                • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                • API String ID: 1646373207-834958232
                                                                                • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                APIs
                                                                                  • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                  • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                • API String ID: 2238633743-2683653824
                                                                                • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                APIs
                                                                                • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileNext
                                                                                • String ID:
                                                                                • API String ID: 2066263336-0
                                                                                • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                APIs
                                                                                  • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                  • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CountErrorFileLastMoveTick
                                                                                • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                • API String ID: 2406187244-2685451598
                                                                                • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 00413D46
                                                                                • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                  • Part of subcall function 00418EC0: 6FCFC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                  • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CursorDesktopWindow$Show
                                                                                • String ID:
                                                                                • API String ID: 2074268717-0
                                                                                • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString$FileMessageModuleName
                                                                                • String ID:
                                                                                • API String ID: 704749118-0
                                                                                • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                  • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                  • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                • String ID:
                                                                                • API String ID: 855768636-0
                                                                                • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                APIs
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: OffsetRect
                                                                                • String ID:
                                                                                • API String ID: 177026234-0
                                                                                • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                APIs
                                                                                • GetCursorPos.USER32 ref: 00417260
                                                                                • SetCursor.USER32(00000000), ref: 004172A3
                                                                                • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                • String ID:
                                                                                • API String ID: 1959210111-0
                                                                                • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                APIs
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                APIs
                                                                                • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                • String ID:
                                                                                • API String ID: 4025006896-0
                                                                                • Opcode ID: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                • Opcode Fuzzy Hash: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                APIs
                                                                                • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                • String ID:
                                                                                • API String ID: 4071923889-0
                                                                                • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                Strings
                                                                                • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                • API String ID: 1452528299-3038984924
                                                                                • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                Strings
                                                                                • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                • API String ID: 1452528299-1392080489
                                                                                • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                • RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                • String ID:
                                                                                • API String ID: 4283692357-0
                                                                                • Opcode ID: f8aea33aa1dfe48501da451cbaaab358c9a7ac193b9fd61d7dd35e15a1d684ec
                                                                                • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                • Opcode Fuzzy Hash: f8aea33aa1dfe48501da451cbaaab358c9a7ac193b9fd61d7dd35e15a1d684ec
                                                                                • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$CountSleepTick
                                                                                • String ID:
                                                                                • API String ID: 2227064392-0
                                                                                • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                • String ID:
                                                                                • API String ID: 215268677-0
                                                                                • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                APIs
                                                                                • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                • String ID:
                                                                                • API String ID: 2280970139-0
                                                                                • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                APIs
                                                                                • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Global$AllocHandleLockUnlock
                                                                                • String ID:
                                                                                • API String ID: 2167344118-0
                                                                                • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                APIs
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                Strings
                                                                                • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                • API String ID: 3535843008-1938159461
                                                                                • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                Strings
                                                                                • Will not restart Windows automatically., xrefs: 004836F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveForeground
                                                                                • String ID: Will not restart Windows automatically.
                                                                                • API String ID: 307657957-4169339592
                                                                                • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                APIs
                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                Strings
                                                                                • Extracting temporary file: , xrefs: 004763EC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: FileTime$Local
                                                                                • String ID: Extracting temporary file:
                                                                                • API String ID: 791338737-4171118009
                                                                                • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                Strings
                                                                                • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                • API String ID: 0-1974262853
                                                                                • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                APIs
                                                                                  • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                Strings
                                                                                • %s\%s_is1, xrefs: 00478F10
                                                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                • API String ID: 47109696-1598650737
                                                                                • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                APIs
                                                                                • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ExecuteMessageSendShell
                                                                                • String ID: open
                                                                                • API String ID: 812272486-2758837156
                                                                                • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                APIs
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                  • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                • String ID: <
                                                                                • API String ID: 893404051-4251816714
                                                                                • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                APIs
                                                                                • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                  • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                  • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                  • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                  • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0224C520,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                • String ID: )
                                                                                • API String ID: 2227675388-1084416617
                                                                                • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Window
                                                                                • String ID: /INITPROCWND=$%x $@
                                                                                • API String ID: 2353593579-4169826103
                                                                                • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                APIs
                                                                                  • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                  • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocByteCharFreeMultiWide
                                                                                • String ID: NIL Interface Exception$Unknown Method
                                                                                • API String ID: 3952431833-1023667238
                                                                                • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                  • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateErrorHandleLastProcess
                                                                                • String ID: 0nI
                                                                                • API String ID: 3798668922-794067871
                                                                                • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                APIs
                                                                                • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Value$EnumQuery
                                                                                • String ID: Inno Setup: No Icons
                                                                                • API String ID: 1576479698-2016326496
                                                                                • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: AttributesErrorFileLast
                                                                                • String ID: T$H
                                                                                • API String ID: 1799206407-488339322
                                                                                • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: T$H
                                                                                • API String ID: 2018770650-488339322
                                                                                • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                APIs
                                                                                • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryErrorLastRemove
                                                                                • String ID: T$H
                                                                                • API String ID: 377330604-488339322
                                                                                • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                APIs
                                                                                  • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(74210000,00481A2F), ref: 0047D0E2
                                                                                  • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                  • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                Strings
                                                                                • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                • String ID: Detected restart. Removing temporary directory.
                                                                                • API String ID: 1717587489-3199836293
                                                                                • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.3151759219.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000001.00000002.3151556733.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152025683.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152079581.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152128414.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000001.00000002.3152163088.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_400000_gjEtERlBSv.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 1458359878-0
                                                                                • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                Execution Graph

                                                                                Execution Coverage:1%
                                                                                Dynamic/Decrypted Code Coverage:62.9%
                                                                                Signature Coverage:21%
                                                                                Total number of Nodes:442
                                                                                Total number of Limit Nodes:28
                                                                                execution_graph 61058 40d4c1 61062 401897 61058->61062 61063 40d070 61062->61063 61064 24e104d 61069 24f23a4 61064->61069 61075 24f22a8 61069->61075 61071 24e1057 61072 24e1aa9 InterlockedIncrement 61071->61072 61073 24e105c 61072->61073 61074 24e1ac5 WSAStartup InterlockedExchange 61072->61074 61074->61073 61076 24f22b4 __initptd 61075->61076 61083 24f7140 61076->61083 61082 24f22db __initptd 61082->61071 61100 24f749b 61083->61100 61085 24f22bd 61086 24f22ec RtlDecodePointer RtlDecodePointer 61085->61086 61087 24f22c9 61086->61087 61088 24f2319 61086->61088 61097 24f22e6 61087->61097 61088->61087 61109 24f7d0d 60 API calls __write 61088->61109 61090 24f237c RtlEncodePointer RtlEncodePointer 61090->61087 61091 24f232b 61091->61090 61093 24f2350 61091->61093 61110 24f76a9 62 API calls __realloc_crt 61091->61110 61093->61087 61095 24f236a RtlEncodePointer 61093->61095 61111 24f76a9 62 API calls __realloc_crt 61093->61111 61095->61090 61096 24f2364 61096->61087 61096->61095 61112 24f7149 61097->61112 61101 24f74bf RtlEnterCriticalSection 61100->61101 61102 24f74ac 61100->61102 61101->61085 61107 24f7523 59 API calls 10 library calls 61102->61107 61104 24f74b2 61104->61101 61108 24f6fed 59 API calls 3 library calls 61104->61108 61107->61104 61109->61091 61110->61093 61111->61096 61115 24f7605 RtlLeaveCriticalSection 61112->61115 61114 24f22eb 61114->61082 61115->61114 61116 40de43 61118 4022c1 61116->61118 61117 40de4f 61118->61117 61119 40dbb9 Sleep 61118->61119 61120 40dbbf 61119->61120 61120->61120 61121 40d247 61122 40d4e9 61121->61122 61125 401301 FindResourceA 61122->61125 61124 40d4ee 61126 401360 61125->61126 61127 401367 SizeofResource 61125->61127 61126->61124 61127->61126 61128 401386 LoadResource LockResource GlobalAlloc 61127->61128 61129 4013cc 61128->61129 61130 40141f GetTickCount 61129->61130 61132 40142a GlobalAlloc 61130->61132 61132->61126 61133 401c8a CopyFileA 61134 402391 61133->61134 61137 253c59e 61138 255545c InternetReadFile 61137->61138 61139 40184f OpenSCManagerA 61140 401b68 61139->61140 61141 40170f Sleep 61142 402453 61141->61142 61143 4022d5 61144 40d3c5 CopyFileA 61143->61144 61145 40d7bb 61144->61145 61146 24e5e59 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 61216 24e42c7 61146->61216 61148 24e5ec6 GetTickCount 61149 24e59f4 59 API calls 61148->61149 61150 24e5ee3 GetVersionExA 61149->61150 61151 24e5f24 _memset 61150->61151 61152 24f1fac _malloc 59 API calls 61151->61152 61153 24e5f31 61152->61153 61154 24f1fac _malloc 59 API calls 61153->61154 61155 24e5f41 61154->61155 61156 24f1fac _malloc 59 API calls 61155->61156 61157 24e5f4c 61156->61157 61158 24f1fac _malloc 59 API calls 61157->61158 61159 24e5f57 61158->61159 61160 24f1fac _malloc 59 API calls 61159->61160 61161 24e5f62 61160->61161 61162 24f1fac _malloc 59 API calls 61161->61162 61163 24e5f6d 61162->61163 61164 24f1fac _malloc 59 API calls 61163->61164 61165 24e5f78 61164->61165 61166 24f1fac _malloc 59 API calls 61165->61166 61167 24e5f84 6 API calls 61166->61167 61168 24e5fd1 _memset 61167->61168 61169 24e5fea RtlEnterCriticalSection RtlLeaveCriticalSection 61168->61169 61170 24f1fac _malloc 59 API calls 61169->61170 61171 24e6026 61170->61171 61172 24f1fac _malloc 59 API calls 61171->61172 61173 24e6034 61172->61173 61174 24f1fac _malloc 59 API calls 61173->61174 61175 24e603b 61174->61175 61176 24f1fac _malloc 59 API calls 61175->61176 61177 24e605c QueryPerformanceCounter Sleep 61176->61177 61178 24f1fac _malloc 59 API calls 61177->61178 61179 24e6082 61178->61179 61180 24f1fac _malloc 59 API calls 61179->61180 61208 24e6092 _memset 61180->61208 61181 24e6105 RtlEnterCriticalSection RtlLeaveCriticalSection 61181->61208 61182 24e60ff Sleep 61182->61181 61183 24e6499 RtlEnterCriticalSection RtlLeaveCriticalSection 61184 24f133c 66 API calls 61183->61184 61184->61208 61185 24f133c 66 API calls 61185->61208 61186 24f1fac _malloc 59 API calls 61187 24e653b RtlEnterCriticalSection RtlLeaveCriticalSection 61186->61187 61187->61208 61188 24e67f2 RtlEnterCriticalSection RtlLeaveCriticalSection 61188->61208 61189 24e5c0c 59 API calls 61189->61208 61190 24f1418 _sprintf 82 API calls 61190->61208 61191 24e1ba7 RtlEnterCriticalSection RtlLeaveCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 61191->61208 61192 24e6957 RtlEnterCriticalSection 61193 24e6984 RtlLeaveCriticalSection 61192->61193 61192->61208 61195 24e3c67 72 API calls 61193->61195 61194 24f1fac _malloc 59 API calls 61194->61208 61195->61208 61196 24e3d7e 64 API calls 61196->61208 61197 24e7336 89 API calls 61197->61208 61198 24f25e6 65 API calls _strtok 61198->61208 61199 24e9721 73 API calls 61199->61208 61200 24e7fff 88 API calls 61200->61208 61201 24f1f74 _free 59 API calls 61201->61208 61202 24f27b5 _Allocate 60 API calls 61202->61208 61203 24e73e5 71 API calls 61203->61208 61204 24f1850 _swscanf 59 API calls 61204->61208 61205 24e33b2 86 API calls 61205->61208 61206 24e8733 6 API calls 61206->61208 61207 24e984b 60 API calls 61207->61208 61208->61181 61208->61182 61208->61183 61208->61185 61208->61186 61208->61188 61208->61189 61208->61190 61208->61191 61208->61192 61208->61193 61208->61194 61208->61196 61208->61197 61208->61198 61208->61199 61208->61200 61208->61201 61208->61202 61208->61203 61208->61204 61208->61205 61208->61206 61208->61207 61208->61208 61209 24e5119 103 API calls 61208->61209 61210 24ec113 73 API calls 61208->61210 61211 24e9c0b 88 API calls 61208->61211 61212 24e676f Sleep 61208->61212 61214 24e676a shared_ptr 61208->61214 61209->61208 61210->61208 61211->61208 61213 24f08f0 GetProcessHeap HeapFree 61212->61213 61213->61214 61214->61208 61214->61212 61215 24e4100 GetProcessHeap HeapFree 61214->61215 61215->61214 61217 251ef89 InternetOpenA 61218 257f963 61217->61218 61219 252ab0a 61220 256f12a CreateFileA 61219->61220 61221 401e9a 61222 4023fe LoadLibraryExA 61221->61222 61223 402419 61222->61223 61224 40165c lstrcmpiW 61225 401c97 StartServiceCtrlDispatcherA 61224->61225 61227 40166a 61224->61227 61225->61227 61228 402a20 GetVersion 61252 403b64 HeapCreate 61228->61252 61230 402a7f 61231 402a84 61230->61231 61232 402a8c 61230->61232 61327 402b3b 8 API calls 61231->61327 61264 403844 61232->61264 61235 402a94 GetCommandLineA 61278 403712 61235->61278 61240 402aae 61310 40340c 61240->61310 61242 402ab3 61243 402ab8 GetStartupInfoA 61242->61243 61323 4033b4 61243->61323 61245 402aca GetModuleHandleA 61247 402aee 61245->61247 61328 40315b GetCurrentProcess TerminateProcess ExitProcess 61247->61328 61249 402af7 61329 403230 UnhandledExceptionFilter 61249->61329 61251 402b08 61253 403b84 61252->61253 61254 403bba 61252->61254 61330 403a1c 19 API calls 61253->61330 61254->61230 61256 403b89 61257 403ba0 61256->61257 61258 403b93 61256->61258 61259 403bbd 61257->61259 61332 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61257->61332 61331 403f3b HeapAlloc 61258->61331 61259->61230 61262 403b9d 61262->61259 61263 403bae HeapDestroy 61262->61263 61263->61254 61333 402b5f 61264->61333 61267 403863 GetStartupInfoA 61270 4038af 61267->61270 61271 403974 61267->61271 61270->61271 61274 402b5f 12 API calls 61270->61274 61276 403920 61270->61276 61272 4039db SetHandleCount 61271->61272 61273 40399b GetStdHandle 61271->61273 61272->61235 61273->61271 61275 4039a9 GetFileType 61273->61275 61274->61270 61275->61271 61276->61271 61277 403942 GetFileType 61276->61277 61277->61276 61279 403760 61278->61279 61280 40372d GetEnvironmentStringsW 61278->61280 61282 403735 61279->61282 61283 403751 61279->61283 61281 403741 GetEnvironmentStrings 61280->61281 61280->61282 61281->61283 61284 402aa4 61281->61284 61285 403779 WideCharToMultiByte 61282->61285 61286 40376d GetEnvironmentStringsW 61282->61286 61283->61284 61287 4037f3 GetEnvironmentStrings 61283->61287 61288 4037ff 61283->61288 61301 4034c5 61284->61301 61290 4037ad 61285->61290 61291 4037df FreeEnvironmentStringsW 61285->61291 61286->61284 61286->61285 61287->61284 61287->61288 61292 402b5f 12 API calls 61288->61292 61293 402b5f 12 API calls 61290->61293 61291->61284 61297 40381a 61292->61297 61294 4037b3 61293->61294 61294->61291 61295 4037bc WideCharToMultiByte 61294->61295 61298 4037d6 61295->61298 61299 4037cd 61295->61299 61296 403830 FreeEnvironmentStringsA 61296->61284 61297->61296 61298->61291 61342 402c11 61299->61342 61302 4034d7 61301->61302 61303 4034dc GetModuleFileNameA 61301->61303 61355 405d24 19 API calls 61302->61355 61305 4034ff 61303->61305 61306 402b5f 12 API calls 61305->61306 61307 403520 61306->61307 61309 403530 61307->61309 61356 402b16 7 API calls 61307->61356 61309->61240 61311 403419 61310->61311 61314 40341e 61310->61314 61357 405d24 19 API calls 61311->61357 61313 402b5f 12 API calls 61315 40344b 61313->61315 61314->61313 61322 40345f 61315->61322 61358 402b16 7 API calls 61315->61358 61317 4034a2 61318 402c11 7 API calls 61317->61318 61319 4034ae 61318->61319 61319->61242 61320 402b5f 12 API calls 61320->61322 61322->61317 61322->61320 61359 402b16 7 API calls 61322->61359 61324 4033bd 61323->61324 61326 4033c2 61323->61326 61360 405d24 19 API calls 61324->61360 61326->61245 61328->61249 61329->61251 61330->61256 61331->61262 61332->61262 61337 402b71 61333->61337 61336 402b16 7 API calls 61336->61267 61338 402b6e 61337->61338 61340 402b78 61337->61340 61338->61267 61338->61336 61340->61338 61341 402b9d 12 API calls 61340->61341 61341->61340 61343 402c39 61342->61343 61344 402c1d 61342->61344 61343->61298 61345 402c27 61344->61345 61346 402c3d 61344->61346 61348 402c69 HeapFree 61345->61348 61349 402c33 61345->61349 61347 402c68 61346->61347 61350 402c57 61346->61350 61347->61348 61348->61343 61353 403fae VirtualFree VirtualFree HeapFree 61349->61353 61354 404a3f VirtualFree HeapFree VirtualFree 61350->61354 61353->61343 61354->61343 61355->61303 61356->61309 61357->61314 61358->61322 61359->61322 61360->61326 61361 4019a5 61362 40deaf RegOpenKeyExA 61361->61362 61364 40d77f 61362->61364 61365 24ee9a6 LoadLibraryA 61366 24ee9cf GetProcAddress 61365->61366 61367 24eea89 61365->61367 61368 24eea82 FreeLibrary 61366->61368 61369 24ee9e3 61366->61369 61368->61367 61370 24ee9f5 GetAdaptersInfo 61369->61370 61371 24eea7d 61369->61371 61373 24f27b5 60 API calls 4 library calls 61369->61373 61370->61369 61371->61368 61373->61369 61374 40de29 61375 40ddf1 VirtualAlloc 61374->61375 61376 40de2d 61374->61376 61378 401eeb 61379 4020c2 RegQueryValueExA 61378->61379 61380 40d779 61379->61380 61381 40d511 RegCloseKey 61380->61381 61382 40d77f 61380->61382 61381->61380 61383 24ee8a2 CreateFileA 61384 24ee99e 61383->61384 61388 24ee8d3 61383->61388 61385 24ee8eb DeviceIoControl 61385->61388 61386 24ee994 CloseHandle 61386->61384 61387 24ee960 GetLastError 61387->61386 61387->61388 61388->61385 61388->61386 61388->61387 61388->61388 61390 24f27b5 60 API calls 4 library calls 61388->61390 61390->61388 61391 4023ee CreateDirectoryA 61392 40d794 61391->61392 61393 402374 61396 24f2978 61393->61396 61397 24f2986 61396->61397 61398 24f2981 61396->61398 61402 24f299b 61397->61402 61410 24f917c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61398->61410 61401 402376 61403 24f29a7 __initptd 61402->61403 61407 24f29f5 ___DllMainCRTStartup 61403->61407 61409 24f2a52 __initptd 61403->61409 61411 24f2806 61403->61411 61405 24f2a2f 61406 24f2806 __CRT_INIT@12 138 API calls 61405->61406 61405->61409 61406->61409 61407->61405 61408 24f2806 __CRT_INIT@12 138 API calls 61407->61408 61407->61409 61408->61405 61409->61401 61410->61397 61412 24f2812 __initptd 61411->61412 61413 24f281a 61412->61413 61414 24f2894 61412->61414 61459 24f6e46 GetProcessHeap 61413->61459 61416 24f28fd 61414->61416 61417 24f2898 61414->61417 61419 24f2902 61416->61419 61420 24f2960 61416->61420 61422 24f28b9 61417->61422 61428 24f2823 __initptd __CRT_INIT@12 61417->61428 61548 24f7009 59 API calls _doexit 61417->61548 61418 24f281f 61418->61428 61460 24f49f4 61418->61460 61553 24f7d7b TlsGetValue 61419->61553 61420->61428 61563 24f4884 59 API calls 2 library calls 61420->61563 61549 24f6ee0 61 API calls _free 61422->61549 61425 24f290d 61425->61428 61554 24f761a 61425->61554 61428->61407 61429 24f282f __RTC_Initialize 61429->61428 61437 24f283f GetCommandLineA 61429->61437 61430 24f28be 61431 24f28cf __CRT_INIT@12 61430->61431 61550 24f8e1a 60 API calls _free 61430->61550 61552 24f28e8 62 API calls __mtterm 61431->61552 61436 24f28ca 61551 24f4a6a 62 API calls 2 library calls 61436->61551 61481 24f9218 GetEnvironmentStringsW 61437->61481 61441 24f2936 61443 24f293c 61441->61443 61444 24f2954 61441->61444 61561 24f4941 59 API calls 3 library calls 61443->61561 61562 24f1f74 59 API calls 2 library calls 61444->61562 61448 24f2859 61457 24f285d 61448->61457 61513 24f8e6c 61448->61513 61449 24f2944 GetCurrentThreadId 61449->61428 61453 24f287d 61453->61428 61547 24f8e1a 60 API calls _free 61453->61547 61546 24f4a6a 62 API calls 2 library calls 61457->61546 61459->61418 61564 24f70b0 36 API calls 2 library calls 61460->61564 61462 24f49f9 61565 24f75cc InitializeCriticalSectionAndSpinCount __ioinit 61462->61565 61464 24f49fe 61465 24f4a02 61464->61465 61567 24f7d3e TlsAlloc 61464->61567 61566 24f4a6a 62 API calls 2 library calls 61465->61566 61468 24f4a07 61468->61429 61469 24f4a14 61469->61465 61470 24f4a1f 61469->61470 61471 24f761a __calloc_crt 59 API calls 61470->61471 61472 24f4a2c 61471->61472 61473 24f4a61 61472->61473 61568 24f7d9a TlsSetValue 61472->61568 61570 24f4a6a 62 API calls 2 library calls 61473->61570 61476 24f4a40 61476->61473 61478 24f4a46 61476->61478 61477 24f4a66 61477->61429 61569 24f4941 59 API calls 3 library calls 61478->61569 61480 24f4a4e GetCurrentThreadId 61480->61429 61482 24f922b WideCharToMultiByte 61481->61482 61483 24f284f 61481->61483 61485 24f925e 61482->61485 61486 24f9295 FreeEnvironmentStringsW 61482->61486 61494 24f8b66 61483->61494 61571 24f7662 59 API calls 2 library calls 61485->61571 61486->61483 61488 24f9264 61488->61486 61489 24f926b WideCharToMultiByte 61488->61489 61490 24f928a FreeEnvironmentStringsW 61489->61490 61491 24f9281 61489->61491 61490->61483 61572 24f1f74 59 API calls 2 library calls 61491->61572 61493 24f9287 61493->61490 61495 24f8b72 __initptd 61494->61495 61496 24f749b __lock 59 API calls 61495->61496 61497 24f8b79 61496->61497 61498 24f761a __calloc_crt 59 API calls 61497->61498 61500 24f8b8a 61498->61500 61499 24f8bf5 GetStartupInfoW 61507 24f8c0a 61499->61507 61510 24f8d39 61499->61510 61500->61499 61501 24f8b95 __initptd @_EH4_CallFilterFunc@8 61500->61501 61501->61448 61502 24f8e01 61575 24f8e11 RtlLeaveCriticalSection _doexit 61502->61575 61504 24f761a __calloc_crt 59 API calls 61504->61507 61505 24f8d86 GetStdHandle 61505->61510 61506 24f8d99 GetFileType 61506->61510 61507->61504 61509 24f8c58 61507->61509 61507->61510 61508 24f8c8c GetFileType 61508->61509 61509->61508 61509->61510 61573 24f7dbc InitializeCriticalSectionAndSpinCount 61509->61573 61510->61502 61510->61505 61510->61506 61574 24f7dbc InitializeCriticalSectionAndSpinCount 61510->61574 61514 24f8e7f GetModuleFileNameA 61513->61514 61515 24f8e7a 61513->61515 61516 24f8eac 61514->61516 61582 24f3eea 71 API calls __setmbcp 61515->61582 61576 24f8f1f 61516->61576 61519 24f2869 61519->61453 61524 24f909b 61519->61524 61522 24f8ee5 61522->61519 61523 24f8f1f _parse_cmdline 59 API calls 61522->61523 61523->61519 61525 24f90a4 61524->61525 61528 24f90a9 _strlen 61524->61528 61586 24f3eea 71 API calls __setmbcp 61525->61586 61527 24f761a __calloc_crt 59 API calls 61536 24f90df _strlen 61527->61536 61528->61527 61531 24f2872 61528->61531 61529 24f9131 61588 24f1f74 59 API calls 2 library calls 61529->61588 61531->61453 61540 24f7018 61531->61540 61532 24f761a __calloc_crt 59 API calls 61532->61536 61533 24f9158 61589 24f1f74 59 API calls 2 library calls 61533->61589 61536->61529 61536->61531 61536->61532 61536->61533 61537 24f916f 61536->61537 61587 24f591c 59 API calls __write 61536->61587 61590 24f3b65 8 API calls 2 library calls 61537->61590 61539 24f917b 61541 24f7024 __IsNonwritableInCurrentImage 61540->61541 61591 24fab7f 61541->61591 61543 24f7042 __initterm_e 61544 24f23a4 __cinit 68 API calls 61543->61544 61545 24f7061 _doexit __IsNonwritableInCurrentImage 61543->61545 61544->61545 61545->61453 61546->61428 61547->61457 61548->61422 61549->61430 61550->61436 61551->61431 61552->61428 61553->61425 61557 24f7621 61554->61557 61556 24f291e 61556->61428 61560 24f7d9a TlsSetValue 61556->61560 61557->61556 61558 24f763f 61557->61558 61594 24fe9a8 61557->61594 61558->61556 61558->61557 61602 24f80b7 Sleep 61558->61602 61560->61441 61561->61449 61562->61428 61563->61428 61564->61462 61565->61464 61566->61468 61567->61469 61568->61476 61569->61480 61570->61477 61571->61488 61572->61493 61573->61509 61574->61510 61575->61501 61578 24f8f41 61576->61578 61581 24f8fa5 61578->61581 61584 24fef86 59 API calls x_ismbbtype_l 61578->61584 61579 24f8ec2 61579->61519 61583 24f7662 59 API calls 2 library calls 61579->61583 61581->61579 61585 24fef86 59 API calls x_ismbbtype_l 61581->61585 61582->61514 61583->61522 61584->61578 61585->61581 61586->61528 61587->61536 61588->61531 61589->61531 61590->61539 61592 24fab82 RtlEncodePointer 61591->61592 61592->61592 61593 24fab9c 61592->61593 61593->61543 61595 24fe9b3 61594->61595 61599 24fe9ce 61594->61599 61596 24fe9bf 61595->61596 61595->61599 61603 24f4abb 59 API calls __getptd_noexit 61596->61603 61598 24fe9de RtlAllocateHeap 61598->61599 61600 24fe9c4 61598->61600 61599->61598 61599->61600 61604 24f6e63 RtlDecodePointer 61599->61604 61600->61557 61602->61558 61603->61600 61604->61599 61605 254ce20 61606 256ea5c Sleep 61605->61606 61607 40d3b4 RegSetValueExA 61608 40d681 RegCloseKey 61607->61608 61609 40d687 61608->61609 61609->61609 61610 401b77 GetLocalTime 61611 401c97 StartServiceCtrlDispatcherA 61610->61611 61613 401ea2 61610->61613 61616 401d77 61611->61616 61613->61611 61614 402354 61613->61614 61613->61616 61615 40d22e lstrcmpiW 61614->61615 61614->61616 61615->61616 61617 401e7c 61618 40d629 61617->61618 61619 40d687 61618->61619 61620 40db33 RegCreateKeyExA 61618->61620 61619->61619 61620->61619 61621 40197f GetModuleHandleA 61622 40d8da GetModuleFileNameA 61621->61622 61623 40d82f 61622->61623 61623->61622

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 24e5e59-24e60e7 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 24e42c7 GetTickCount call 24e59f4 GetVersionExA call 24f3750 call 24f1fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 24f3750 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 24f1fac * 4 QueryPerformanceCounter Sleep call 24f1fac * 2 call 24f3750 * 2 45 24e60eb-24e60ed 0->45 46 24e60ef-24e60f4 45->46 47 24e60f6-24e60f8 45->47 50 24e60ff Sleep 46->50 48 24e60fa 47->48 49 24e6105-24e6369 RtlEnterCriticalSection RtlLeaveCriticalSection 47->49 48->50 52 24e63de-24e63e0 49->52 53 24e636b-24e63ae 49->53 50->49 54 24e63e3-24e63e6 52->54 58 24e6420-24e6421 53->58 59 24e63b0-24e63d9 53->59 56 24e63e8-24e63ea 54->56 57 24e6414 54->57 60 24e63ff-24e640f 56->60 61 24e643f-24e6443 57->61 62 24e6416-24e6419 57->62 58->61 59->52 60->57 63 24e645f-24e6469 61->63 64 24e6445-24e644b 61->64 62->60 65 24e641b 62->65 63->45 69 24e646f-24e6478 63->69 66 24e644d-24e644f 64->66 67 24e6451-24e645e call 24e534d 64->67 65->54 70 24e641d 65->70 66->63 67->63 72 24e6479-24e6493 call 24f3750 call 24e439c 69->72 70->72 73 24e641f 70->73 72->45 79 24e6499-24e64c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 24f133c 72->79 73->58 82 24e650e-24e6526 call 24f133c 79->82 83 24e64c6-24e64d5 call 24f133c 79->83 88 24e652c-24e652e 82->88 89 24e67cd-24e67dc call 24f133c 82->89 83->82 90 24e64d7-24e64e6 call 24f133c 83->90 88->89 92 24e6534-24e65df call 24f1fac RtlEnterCriticalSection RtlLeaveCriticalSection call 24f3750 * 5 call 24e439c * 2 88->92 97 24e67de-24e67e0 89->97 98 24e6821-24e6830 call 24f133c 89->98 90->82 100 24e64e8-24e64f7 call 24f133c 90->100 142 24e661c 92->142 143 24e65e1-24e65e3 92->143 97->98 101 24e67e2-24e681c call 24f3750 RtlEnterCriticalSection RtlLeaveCriticalSection 97->101 111 24e6845-24e6854 call 24f133c 98->111 112 24e6832 call 24e5c0c 98->112 100->82 113 24e64f9-24e6508 call 24f133c 100->113 101->45 111->45 122 24e685a-24e685c 111->122 120 24e6837-24e6840 call 24e5d1a 112->120 113->45 113->82 120->45 122->45 125 24e6862-24e687b call 24e439c 122->125 125->45 132 24e6881-24e6950 call 24f1418 call 24e1ba7 125->132 144 24e6957-24e6978 RtlEnterCriticalSection 132->144 145 24e6952 call 24e143f 132->145 147 24e6620-24e664e call 24f1fac call 24f3750 call 24e439c 142->147 143->142 146 24e65e5-24e65f7 call 24f133c 143->146 149 24e697a-24e6981 144->149 150 24e6984-24e69eb RtlLeaveCriticalSection call 24e3c67 call 24e3d7e call 24e7336 144->150 145->144 146->142 158 24e65f9-24e661a call 24e439c 146->158 168 24e668f-24e6698 call 24f1f74 147->168 169 24e6650-24e665f call 24f25e6 147->169 149->150 170 24e6b53-24e6b67 call 24e7fff 150->170 171 24e69f1-24e6a33 call 24e9721 150->171 158->147 183 24e669e-24e66b6 call 24f27b5 168->183 184 24e67bb-24e67c8 168->184 169->168 180 24e6661 169->180 170->45 181 24e6b1d-24e6b4e call 24e73e5 call 24e33b2 171->181 182 24e6a39-24e6a40 171->182 186 24e6666-24e6678 call 24f1850 180->186 181->170 188 24e6a43-24e6a48 182->188 193 24e66b8-24e66c0 call 24e8733 183->193 194 24e66c2 183->194 184->45 200 24e667d-24e668d call 24f25e6 186->200 201 24e667a 186->201 188->188 192 24e6a4a-24e6a8f call 24e9721 188->192 192->181 206 24e6a95-24e6a9b 192->206 199 24e66c4-24e6768 call 24e984b call 24e3863 call 24e5119 call 24e3863 call 24e9af1 call 24e9c0b 193->199 194->199 226 24e676f-24e679a Sleep call 24f08f0 199->226 227 24e676a call 24e380b 199->227 200->168 200->186 201->200 209 24e6a9e-24e6aa3 206->209 209->209 211 24e6aa5-24e6ae0 call 24e9721 209->211 211->181 216 24e6ae2-24e6b1c call 24ec113 211->216 216->181 231 24e679c-24e67a5 call 24e4100 226->231 232 24e67a6-24e67b4 226->232 227->226 231->232 232->184 234 24e67b6 call 24e380b 232->234 234->184
                                                                                APIs
                                                                                • RtlInitializeCriticalSection.NTDLL(02514FD0), ref: 024E5E8D
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 024E5EA4
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 024E5EAD
                                                                                • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 024E5EBC
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 024E5EBF
                                                                                • GetTickCount.KERNEL32 ref: 024E5ED3
                                                                                  • Part of subcall function 024E59F4: _malloc.LIBCMT ref: 024E5A02
                                                                                • GetVersionExA.KERNEL32(02514E20), ref: 024E5F00
                                                                                • _memset.LIBCMT ref: 024E5F1F
                                                                                • _malloc.LIBCMT ref: 024E5F2C
                                                                                  • Part of subcall function 024F1FAC: __FF_MSGBANNER.LIBCMT ref: 024F1FC3
                                                                                  • Part of subcall function 024F1FAC: __NMSG_WRITE.LIBCMT ref: 024F1FCA
                                                                                  • Part of subcall function 024F1FAC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 024F1FEF
                                                                                • _malloc.LIBCMT ref: 024E5F3C
                                                                                • _malloc.LIBCMT ref: 024E5F47
                                                                                • _malloc.LIBCMT ref: 024E5F52
                                                                                • _malloc.LIBCMT ref: 024E5F5D
                                                                                • _malloc.LIBCMT ref: 024E5F68
                                                                                • _malloc.LIBCMT ref: 024E5F73
                                                                                • _malloc.LIBCMT ref: 024E5F7F
                                                                                • GetProcessHeap.KERNEL32(00000000,00000004), ref: 024E5F96
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 024E5F9F
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 024E5FAB
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 024E5FAE
                                                                                • GetProcessHeap.KERNEL32(00000000,00000400), ref: 024E5FB9
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 024E5FBC
                                                                                • _memset.LIBCMT ref: 024E5FCC
                                                                                • _memset.LIBCMT ref: 024E5FD8
                                                                                • _memset.LIBCMT ref: 024E5FE5
                                                                                • RtlEnterCriticalSection.NTDLL(02514FD0), ref: 024E5FF3
                                                                                • RtlLeaveCriticalSection.NTDLL(02514FD0), ref: 024E6000
                                                                                • _malloc.LIBCMT ref: 024E6021
                                                                                • _malloc.LIBCMT ref: 024E602F
                                                                                • _malloc.LIBCMT ref: 024E6036
                                                                                • _malloc.LIBCMT ref: 024E6057
                                                                                • QueryPerformanceCounter.KERNEL32(00000200), ref: 024E6063
                                                                                • Sleep.KERNEL32(00000000), ref: 024E6071
                                                                                • _malloc.LIBCMT ref: 024E607D
                                                                                • _malloc.LIBCMT ref: 024E608D
                                                                                • _memset.LIBCMT ref: 024E60A2
                                                                                • _memset.LIBCMT ref: 024E60B2
                                                                                • Sleep.KERNEL32(0000EA60), ref: 024E60FF
                                                                                • RtlEnterCriticalSection.NTDLL(02514FD0), ref: 024E610A
                                                                                • RtlLeaveCriticalSection.NTDLL(02514FD0), ref: 024E611B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _malloc$Heap$_memset$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                • API String ID: 1856495841-1038016512
                                                                                • Opcode ID: f3ed6e5293e13941cfcfbde6df04b23552f263f3c4c08d9b9c0490b46efe7803
                                                                                • Instruction ID: 4428e38f627f7303ff05f1ca974a290fdb8db14eb73828410f1319b7086ebfc0
                                                                                • Opcode Fuzzy Hash: f3ed6e5293e13941cfcfbde6df04b23552f263f3c4c08d9b9c0490b46efe7803
                                                                                • Instruction Fuzzy Hash: F871A3B1D443809BE310AF75AC59B6B7BD8BF85310F050C1EF68997380DBB855188F9A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 654 24ee9a6-24ee9c9 LoadLibraryA 655 24ee9cf-24ee9dd GetProcAddress 654->655 656 24eea89-24eea90 654->656 657 24eea82-24eea83 FreeLibrary 655->657 658 24ee9e3-24ee9f3 655->658 657->656 659 24ee9f5-24eea01 GetAdaptersInfo 658->659 660 24eea39-24eea41 659->660 661 24eea03 659->661 662 24eea4a-24eea4f 660->662 663 24eea43-24eea49 call 24f26cf 660->663 664 24eea05-24eea0c 661->664 668 24eea7d-24eea81 662->668 669 24eea51-24eea54 662->669 663->662 665 24eea0e-24eea12 664->665 666 24eea16-24eea1e 664->666 665->664 670 24eea14 665->670 671 24eea21-24eea26 666->671 668->657 669->668 673 24eea56-24eea5b 669->673 670->660 671->671 674 24eea28-24eea35 call 24ee6f5 671->674 675 24eea5d-24eea65 673->675 676 24eea68-24eea73 call 24f27b5 673->676 674->660 675->676 676->668 681 24eea75-24eea78 676->681 681->659
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 024EE9BC
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 024EE9D5
                                                                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 024EE9FA
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 024EEA83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                • API String ID: 514930453-3114217049
                                                                                • Opcode ID: 79c2786602e617870a08ba4940286534f1be1a3c8e2a924040c01f9146df2349
                                                                                • Instruction ID: 86e262d54675b4e6ef076a5210b8705297b86a8cc179761a412ad499c30a018c
                                                                                • Opcode Fuzzy Hash: 79c2786602e617870a08ba4940286534f1be1a3c8e2a924040c01f9146df2349
                                                                                • Instruction Fuzzy Hash: A721A275B002099BEF20DFA9D884AFEBBB9BF45325F1441AED506E7341E7308945CBA4

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 682 401b77-401be9 GetLocalTime 683 401ea2-401eb2 682->683 684 401c97-401d71 StartServiceCtrlDispatcherA 682->684 686 401eb7-401ebd 683->686 687 40234e 683->687 689 40d337 684->689 690 401d77-401daf 684->690 691 4023a2-4023a8 686->691 687->684 688 402354-402363 687->688 688->691 692 40d251-40d254 lstrcmpiW 688->692 695 40da94-40db2e 689->695 690->686 693 40df57 691->693 697 40d963 692->697 696 40df5d 693->696 696->696 698 40d969-40d974 call 402830 697->698 699 4021fa-40d8ed 697->699 698->693 699->697
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32 ref: 00401B77
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00401D69
                                                                                • lstrcmpiW.KERNEL32(?,/chk), ref: 0040D22E
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe, xrefs: 0040D969
                                                                                • /chk, xrefs: 00402354
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CtrlDispatcherLocalServiceStartTimelstrcmpi
                                                                                • String ID: /chk$C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                                • API String ID: 4108452588-3799223930
                                                                                • Opcode ID: 14abd96c7034f17aeb1b3f18f29401f5671076e9c0fb83610bf7249aa4a1bf51
                                                                                • Instruction ID: dab398558c3158c611aadee03afd8e5461a3d66efaa6d756114f95917e6ea1cd
                                                                                • Opcode Fuzzy Hash: 14abd96c7034f17aeb1b3f18f29401f5671076e9c0fb83610bf7249aa4a1bf51
                                                                                • Instruction Fuzzy Hash: F1312670A04155CBCB149F64AE556EA3BB4FB16300F1480BBD896B61E2C73C8D4AEF1D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 706 24ee8a2-24ee8cd CreateFileA 707 24ee99e-24ee9a5 706->707 708 24ee8d3-24ee8e8 706->708 709 24ee8eb-24ee90d DeviceIoControl 708->709 710 24ee90f-24ee917 709->710 711 24ee946-24ee94e 709->711 712 24ee919-24ee91e 710->712 713 24ee920-24ee925 710->713 714 24ee957-24ee959 711->714 715 24ee950-24ee956 call 24f26cf 711->715 712->711 713->711 718 24ee927-24ee92f 713->718 716 24ee95b-24ee95e 714->716 717 24ee994-24ee99d CloseHandle 714->717 715->714 721 24ee97a-24ee987 call 24f27b5 716->721 722 24ee960-24ee969 GetLastError 716->722 717->707 723 24ee932-24ee937 718->723 721->717 730 24ee989-24ee98f 721->730 722->717 724 24ee96b-24ee96e 722->724 723->723 726 24ee939-24ee945 call 24ee6f5 723->726 724->721 727 24ee970-24ee977 724->727 726->711 727->721 730->709
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 024EE8C1
                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 024EE8FF
                                                                                • GetLastError.KERNEL32 ref: 024EE960
                                                                                • CloseHandle.KERNEL32(?), ref: 024EE997
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                • String ID: \\.\PhysicalDrive0
                                                                                • API String ID: 4026078076-1180397377
                                                                                • Opcode ID: 94843b979f23e1db31e30a9c1f560b431e1e216dabbde61b31e30eecb26e95ff
                                                                                • Instruction ID: 0c248dc99a8049f48d09f84196dfc6e3697cebee1c5039248d13fece04e98335
                                                                                • Opcode Fuzzy Hash: 94843b979f23e1db31e30a9c1f560b431e1e216dabbde61b31e30eecb26e95ff
                                                                                • Instruction Fuzzy Hash: 4B31A271E00215ABEF24CF94D894BBFBBB4FF45725F14416AE506A7240D7705A04CB94

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 775 40165c-401664 lstrcmpiW 776 401c97-401d71 StartServiceCtrlDispatcherA 775->776 777 40166a-40de94 775->777 782 40d337 776->782 783 401d77-40df57 776->783 780 4016e0 call 401b37 777->780 781 40de9a-40dea5 777->781 787 4016e5-4016e7 780->787 781->780 789 40da94-40dabe 782->789 793 40df5d 783->793 790 40db00-40db2e 787->790 789->790 790->789 793->793
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32 ref: 0040165C
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00401D69
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CtrlDispatcherServiceStartlstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 369133424-0
                                                                                • Opcode ID: 5197634a4cd9ef4667aec51ed7aa61f8b86080da101c4e843cd25134d8bb97f1
                                                                                • Instruction ID: 5b82d45571270f7cc6fea729efc416a0c07434386a543da6a723d1013668e0f7
                                                                                • Opcode Fuzzy Hash: 5197634a4cd9ef4667aec51ed7aa61f8b86080da101c4e843cd25134d8bb97f1
                                                                                • Instruction Fuzzy Hash: 3641063481955ACBCB10AF65DE943EA7BB4FB06381F0445B6C449B61A2C7388D4BEF4D
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.0000000002518000.00000040.00001000.00020000.00000000.sdmp, Offset: 02518000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2518000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: FileInternetRead
                                                                                • String ID:
                                                                                • API String ID: 778332206-0
                                                                                • Opcode ID: 07259077b581c20a991bbaef701aabc6d37f2c56bb28f282374afee54d9f953a
                                                                                • Instruction ID: ed3dd8558850a03d0e5f200e78d7d20d3317be7c677fe264b91bd9914d57c98b
                                                                                • Opcode Fuzzy Hash: 07259077b581c20a991bbaef701aabc6d37f2c56bb28f282374afee54d9f953a
                                                                                • Instruction Fuzzy Hash: E4F098F291C224AFE756BA48DC557BAB7E8EF05311F06482DE785C3640EA3558408BDB

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 237 24e6357-24e6369 238 24e63de-24e63e0 237->238 239 24e636b-24e63ae 237->239 240 24e63e3-24e63e6 238->240 244 24e6420-24e6421 239->244 245 24e63b0-24e63d9 239->245 242 24e63e8-24e63ea 240->242 243 24e6414 240->243 246 24e63ff-24e640f 242->246 247 24e643f-24e6443 243->247 248 24e6416-24e6419 243->248 244->247 245->238 246->243 249 24e645f-24e6469 247->249 250 24e6445-24e644b 247->250 248->246 251 24e641b 248->251 255 24e646f-24e6478 249->255 256 24e60eb-24e60ed 249->256 252 24e644d-24e644f 250->252 253 24e6451-24e645e call 24e534d 250->253 251->240 257 24e641d 251->257 252->249 253->249 259 24e6479-24e6493 call 24f3750 call 24e439c 255->259 260 24e60ef-24e60f4 256->260 261 24e60f6-24e60f8 256->261 257->259 262 24e641f 257->262 259->256 271 24e6499-24e64c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 24f133c 259->271 267 24e60ff Sleep 260->267 263 24e60fa 261->263 264 24e6105-24e6134 RtlEnterCriticalSection RtlLeaveCriticalSection 261->264 262->244 263->267 264->237 267->264 274 24e650e-24e6526 call 24f133c 271->274 275 24e64c6-24e64d5 call 24f133c 271->275 280 24e652c-24e652e 274->280 281 24e67cd-24e67dc call 24f133c 274->281 275->274 282 24e64d7-24e64e6 call 24f133c 275->282 280->281 284 24e6534-24e65df call 24f1fac RtlEnterCriticalSection RtlLeaveCriticalSection call 24f3750 * 5 call 24e439c * 2 280->284 289 24e67de-24e67e0 281->289 290 24e6821-24e6830 call 24f133c 281->290 282->274 292 24e64e8-24e64f7 call 24f133c 282->292 334 24e661c 284->334 335 24e65e1-24e65e3 284->335 289->290 293 24e67e2-24e681c call 24f3750 RtlEnterCriticalSection RtlLeaveCriticalSection 289->293 303 24e6845-24e6854 call 24f133c 290->303 304 24e6832-24e6840 call 24e5c0c call 24e5d1a 290->304 292->274 305 24e64f9-24e6508 call 24f133c 292->305 293->256 303->256 314 24e685a-24e685c 303->314 304->256 305->256 305->274 314->256 317 24e6862-24e687b call 24e439c 314->317 317->256 324 24e6881-24e6950 call 24f1418 call 24e1ba7 317->324 336 24e6957-24e6978 RtlEnterCriticalSection 324->336 337 24e6952 call 24e143f 324->337 339 24e6620-24e664e call 24f1fac call 24f3750 call 24e439c 334->339 335->334 338 24e65e5-24e65f7 call 24f133c 335->338 341 24e697a-24e6981 336->341 342 24e6984-24e69eb RtlLeaveCriticalSection call 24e3c67 call 24e3d7e call 24e7336 336->342 337->336 338->334 350 24e65f9-24e661a call 24e439c 338->350 360 24e668f-24e6698 call 24f1f74 339->360 361 24e6650-24e665f call 24f25e6 339->361 341->342 362 24e6b53-24e6b67 call 24e7fff 342->362 363 24e69f1-24e6a33 call 24e9721 342->363 350->339 375 24e669e-24e66b6 call 24f27b5 360->375 376 24e67bb-24e67c8 360->376 361->360 372 24e6661 361->372 362->256 373 24e6b1d-24e6b4e call 24e73e5 call 24e33b2 363->373 374 24e6a39-24e6a40 363->374 378 24e6666-24e6678 call 24f1850 372->378 373->362 380 24e6a43-24e6a48 374->380 385 24e66b8-24e66c0 call 24e8733 375->385 386 24e66c2 375->386 376->256 392 24e667d-24e668d call 24f25e6 378->392 393 24e667a 378->393 380->380 384 24e6a4a-24e6a8f call 24e9721 380->384 384->373 398 24e6a95-24e6a9b 384->398 391 24e66c4-24e6768 call 24e984b call 24e3863 call 24e5119 call 24e3863 call 24e9af1 call 24e9c0b 385->391 386->391 418 24e676f-24e679a Sleep call 24f08f0 391->418 419 24e676a call 24e380b 391->419 392->360 392->378 393->392 401 24e6a9e-24e6aa3 398->401 401->401 403 24e6aa5-24e6ae0 call 24e9721 401->403 403->373 408 24e6ae2-24e6b1c call 24ec113 403->408 408->373 423 24e679c-24e67a5 call 24e4100 418->423 424 24e67a6-24e67b4 418->424 419->418 423->424 424->376 426 24e67b6 call 24e380b 424->426 426->376
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$dC^$disconnect$idle$updips$updurls
                                                                                • API String ID: 0-3985672608
                                                                                • Opcode ID: 9985d2c4438b5c52609b59b66206a04787911ad82efaec790e007cbc02f06008
                                                                                • Instruction ID: d4d75143d75cf25f1c16a30228967d8c698de2386885fc9ee107ba6f025ac724
                                                                                • Opcode Fuzzy Hash: 9985d2c4438b5c52609b59b66206a04787911ad82efaec790e007cbc02f06008
                                                                                • Instruction Fuzzy Hash: 232231716083819FFB259F20D895BAF7BE9AFD6715F10481FE18A87281EB709408CF56

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 429 24e642a-24e6443 430 24e645f-24e6469 429->430 431 24e6445-24e644b 429->431 434 24e646f-24e6478 430->434 435 24e60eb-24e60ed 430->435 432 24e644d-24e644f 431->432 433 24e6451-24e645e call 24e534d 431->433 432->430 433->430 437 24e6479-24e6493 call 24f3750 call 24e439c 434->437 438 24e60ef-24e60f4 435->438 439 24e60f6-24e60f8 435->439 437->435 455 24e6499-24e64c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 24f133c 437->455 444 24e60ff Sleep 438->444 440 24e60fa 439->440 441 24e6105-24e6369 RtlEnterCriticalSection RtlLeaveCriticalSection 439->441 440->444 448 24e63de-24e63e0 441->448 449 24e636b-24e63ae 441->449 444->441 450 24e63e3-24e63e6 448->450 456 24e6420-24e6421 449->456 457 24e63b0-24e63d9 449->457 453 24e63e8-24e63ea 450->453 454 24e6414 450->454 458 24e63ff-24e640f 453->458 459 24e643f-24e6443 454->459 460 24e6416-24e6419 454->460 464 24e650e-24e6526 call 24f133c 455->464 465 24e64c6-24e64d5 call 24f133c 455->465 456->459 457->448 458->454 459->430 459->431 460->458 463 24e641b 460->463 463->450 467 24e641d 463->467 473 24e652c-24e652e 464->473 474 24e67cd-24e67dc call 24f133c 464->474 465->464 475 24e64d7-24e64e6 call 24f133c 465->475 467->437 470 24e641f 467->470 470->456 473->474 477 24e6534-24e65df call 24f1fac RtlEnterCriticalSection RtlLeaveCriticalSection call 24f3750 * 5 call 24e439c * 2 473->477 482 24e67de-24e67e0 474->482 483 24e6821-24e6830 call 24f133c 474->483 475->464 485 24e64e8-24e64f7 call 24f133c 475->485 527 24e661c 477->527 528 24e65e1-24e65e3 477->528 482->483 486 24e67e2-24e681c call 24f3750 RtlEnterCriticalSection RtlLeaveCriticalSection 482->486 496 24e6845-24e6854 call 24f133c 483->496 497 24e6832-24e6840 call 24e5c0c call 24e5d1a 483->497 485->464 498 24e64f9-24e6508 call 24f133c 485->498 486->435 496->435 507 24e685a-24e685c 496->507 497->435 498->435 498->464 507->435 510 24e6862-24e687b call 24e439c 507->510 510->435 517 24e6881-24e6950 call 24f1418 call 24e1ba7 510->517 529 24e6957-24e6978 RtlEnterCriticalSection 517->529 530 24e6952 call 24e143f 517->530 532 24e6620-24e664e call 24f1fac call 24f3750 call 24e439c 527->532 528->527 531 24e65e5-24e65f7 call 24f133c 528->531 534 24e697a-24e6981 529->534 535 24e6984-24e69eb RtlLeaveCriticalSection call 24e3c67 call 24e3d7e call 24e7336 529->535 530->529 531->527 543 24e65f9-24e661a call 24e439c 531->543 553 24e668f-24e6698 call 24f1f74 532->553 554 24e6650-24e665f call 24f25e6 532->554 534->535 555 24e6b53-24e6b67 call 24e7fff 535->555 556 24e69f1-24e6a33 call 24e9721 535->556 543->532 568 24e669e-24e66b6 call 24f27b5 553->568 569 24e67bb-24e67c8 553->569 554->553 565 24e6661 554->565 555->435 566 24e6b1d-24e6b4e call 24e73e5 call 24e33b2 556->566 567 24e6a39-24e6a40 556->567 571 24e6666-24e6678 call 24f1850 565->571 566->555 573 24e6a43-24e6a48 567->573 578 24e66b8-24e66c0 call 24e8733 568->578 579 24e66c2 568->579 569->435 585 24e667d-24e668d call 24f25e6 571->585 586 24e667a 571->586 573->573 577 24e6a4a-24e6a8f call 24e9721 573->577 577->566 591 24e6a95-24e6a9b 577->591 584 24e66c4-24e6768 call 24e984b call 24e3863 call 24e5119 call 24e3863 call 24e9af1 call 24e9c0b 578->584 579->584 611 24e676f-24e679a Sleep call 24f08f0 584->611 612 24e676a call 24e380b 584->612 585->553 585->571 586->585 594 24e6a9e-24e6aa3 591->594 594->594 596 24e6aa5-24e6ae0 call 24e9721 594->596 596->566 601 24e6ae2-24e6b1c call 24ec113 596->601 601->566 616 24e679c-24e67a5 call 24e4100 611->616 617 24e67a6-24e67b4 611->617 612->611 616->617 617->569 619 24e67b6 call 24e380b 617->619 619->569
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memset$CriticalSection$EnterLeave_malloc_strtok$_free_swscanf
                                                                                • String ID: <htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                • API String ID: 3441009308-1437582238
                                                                                • Opcode ID: e1e5a798c5af39f0d44a5a00f5bcced194aff167120f55adb694556c684c4484
                                                                                • Instruction ID: 5d16fe7f73f621a511dd1f313de7581e1c7c2bd9a302026bed5cfd99806e8839
                                                                                • Opcode Fuzzy Hash: e1e5a798c5af39f0d44a5a00f5bcced194aff167120f55adb694556c684c4484
                                                                                • Instruction Fuzzy Hash: 14A175316483409BFB10AB319C91B6F3BDAAFD6715F14081FF68A97381DB60D804CB5A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 622 401301-40135e FindResourceA 623 401360-401362 622->623 624 401367-40137d SizeofResource 622->624 625 401538-40153c 623->625 626 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 624->626 627 40137f-401381 624->627 632 401407-40140b 626->632 627->625 633 40140d-40141d 632->633 634 40141f-401428 GetTickCount 632->634 633->632 636 401491-401499 634->636 637 40142a-40142e 634->637 638 4014a2-4014a8 636->638 639 401430-401438 637->639 640 40148f 637->640 641 4014f0-401525 GlobalAlloc call 401000 638->641 642 4014aa-4014e8 638->642 643 401441-401447 639->643 640->641 650 40152a-401535 641->650 644 4014ea 642->644 645 4014ee 642->645 647 401449-401485 643->647 648 40148d 643->648 644->645 645->638 651 401487 647->651 652 40148b 647->652 648->637 650->625 651->652 652->643
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindSizeof
                                                                                • String ID:
                                                                                • API String ID: 3019604839-3916222277
                                                                                • Opcode ID: 138cf1d2708028cd6e9096853fa836b610bce6da07ce657d635f6670e06ad364
                                                                                • Instruction ID: b28a29316e79cb766f5da1f380b87f9e4da6436ce9bd12b8eed34f014587212c
                                                                                • Opcode Fuzzy Hash: 138cf1d2708028cd6e9096853fa836b610bce6da07ce657d635f6670e06ad364
                                                                                • Instruction Fuzzy Hash: 28810171D04258DFDF01CFE8D985AEEBBB0FB09315F1400AAE581B7262C3385A85DB69

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetVersion.KERNEL32 ref: 00402A46
                                                                                  • Part of subcall function 00403B64: HeapCreate.KERNEL32(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                  • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                                  • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                • String ID:
                                                                                • API String ID: 2057626494-0
                                                                                • Opcode ID: 5b516be980998e5fa11934bd411f48f35677f68372fd4b7f5b43ba3d9a21ae17
                                                                                • Instruction ID: 77a0c2ab577daa94e22818ed769fd4cb67ba6910a5c0d3980e0314dd63f46b93
                                                                                • Opcode Fuzzy Hash: 5b516be980998e5fa11934bd411f48f35677f68372fd4b7f5b43ba3d9a21ae17
                                                                                • Instruction Fuzzy Hash: 31214CB19006159EDB14AFA6DE4AA6E7FA9EB04715F10413EF905BB2D1DB384900CA6C

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 760 24e1aa9-24e1ac3 InterlockedIncrement 761 24e1add-24e1ae0 760->761 762 24e1ac5-24e1ad7 WSAStartup InterlockedExchange 760->762 762->761
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(0251529C), ref: 024E1ABA
                                                                                • WSAStartup.WS2_32(00000002,00000000), ref: 024E1ACB
                                                                                • InterlockedExchange.KERNEL32(025152A0,00000000), ref: 024E1AD7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$ExchangeIncrementStartup
                                                                                • String ID:
                                                                                • API String ID: 1856147945-0
                                                                                • Opcode ID: 40c52cae5aa80fbc1bebd6b21f0d0292b3e7448ab59db4531851a8df7190e784
                                                                                • Instruction ID: 58dc75f4614a93e24f7aa07732afc53d1f5ec9e8c8ba42c5800efab9548a05fd
                                                                                • Opcode Fuzzy Hash: 40c52cae5aa80fbc1bebd6b21f0d0292b3e7448ab59db4531851a8df7190e784
                                                                                • Instruction Fuzzy Hash: 70D02B32C802041BF5106A909D5EE3C375CF305312FC00601FD69C01C0F761682489AE

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 763 4019a5-40df89 RegOpenKeyExA 766 40d77f-40d781 763->766 767 40df8f 763->767 768 40df97 766->768 767->768 768->768
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders), ref: 0040DF81
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040DEAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                • API String ID: 71445658-2036018995
                                                                                • Opcode ID: 0e19223a3f44f035ed6f040ebe4bf452e17bbc6dc8c57fb453211704e6e7ccb6
                                                                                • Instruction ID: 62496fd7efeec0c0a9dd63ff534e2930fe5623e57fb7220eedc568082897d305
                                                                                • Opcode Fuzzy Hash: 0e19223a3f44f035ed6f040ebe4bf452e17bbc6dc8c57fb453211704e6e7ccb6
                                                                                • Instruction Fuzzy Hash: A4D05EA1A1C207D5DB101AF09908FB7E67CBB04709B20853BAA0BB14D1E33C5509E06B

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 769 401e7c-40d62e 771 40d687 769->771 772 40d99f-40db3b RegCreateKeyExA 769->772 771->771 772->771 774 40db41 772->774
                                                                                APIs
                                                                                • RegCreateKeyExA.KERNEL32(80000002,Software\uvd56,00000000), ref: 0040DB33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID: Software\uvd56
                                                                                • API String ID: 2289755597-1691345530
                                                                                • Opcode ID: 655169836c4a9fb9ecfb25010d063e5ae4b158f7a522cce5a3fc699504dbd27a
                                                                                • Instruction ID: 651adf52963566133ef61a6c2ec67bc63ef80eae05e373c5efdd1f784e879882
                                                                                • Opcode Fuzzy Hash: 655169836c4a9fb9ecfb25010d063e5ae4b158f7a522cce5a3fc699504dbd27a
                                                                                • Instruction Fuzzy Hash: D1C08C64E4C242D5F6040FE04E0DB3326209710704F311037A883B51C2D97D0C8FB90F

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 794 403b64-403b82 HeapCreate 795 403b84-403b91 call 403a1c 794->795 796 403bba-403bbc 794->796 799 403ba0-403ba3 795->799 800 403b93-403b9e call 403f3b 795->800 801 403ba5 call 40478c 799->801 802 403bbd-403bc0 799->802 806 403baa-403bac 800->806 801->806 806->802 807 403bae-403bb4 HeapDestroy 806->807 807->796
                                                                                APIs
                                                                                • HeapCreate.KERNEL32(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                  • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                  • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocCreateDestroyVersion
                                                                                • String ID:
                                                                                • API String ID: 2507506473-0
                                                                                • Opcode ID: 0e50683ef5f87bfa7b7a3a131c3d96fe51d1ce1a964ea2283cbc2ce75e6f1d9c
                                                                                • Instruction ID: 550f2133393d729a37de5e2391f12db29a8156ca4bb40a4077295a364e13fd94
                                                                                • Opcode Fuzzy Hash: 0e50683ef5f87bfa7b7a3a131c3d96fe51d1ce1a964ea2283cbc2ce75e6f1d9c
                                                                                • Instruction Fuzzy Hash: A5F030706547019DDB101F319E4572A3AA89B4075BF10447FF900F91D1EFBC9684951D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 808 401eeb-4020ca RegQueryValueExA 810 40d779 808->810 811 40d511-40d51a RegCloseKey 810->811 812 40d77f-40d781 810->812 811->810 813 40df97 812->813 813->813
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CloseQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3356406503-0
                                                                                • Opcode ID: d49820a5af0a3158e14bf87a9c6a7c0934d68be3937aa656566ce35c4d837f31
                                                                                • Instruction ID: a3c9be305e738e009e3d8ad3bfdd8d2d59a872f4354ed0537216dc3cb3103268
                                                                                • Opcode Fuzzy Hash: d49820a5af0a3158e14bf87a9c6a7c0934d68be3937aa656566ce35c4d837f31
                                                                                • Instruction Fuzzy Hash: D4D0C970E48A02EEDB111FF09E08A397A706E84345731493B9653B10F0D7BC450ABA6F

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 814 40197f-401986 GetModuleHandleA 815 40d8da-40d8e8 GetModuleFileNameA 814->815
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32 ref: 0040197F
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0040D8DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Module$FileHandleName
                                                                                • String ID:
                                                                                • API String ID: 4146042529-0
                                                                                • Opcode ID: 31a243f6aa98d7fe0c515ff6e2199f161cee87b0e81ea465da32fe03b16be16d
                                                                                • Instruction ID: 8cb8826ad5298203372d76672ae84c0edb49f2bf77dce804e73d7b404f882597
                                                                                • Opcode Fuzzy Hash: 31a243f6aa98d7fe0c515ff6e2199f161cee87b0e81ea465da32fe03b16be16d
                                                                                • Instruction Fuzzy Hash: 78C01271808104FEC7009BE09B48A583778AB08301F2180766153B1090C5340149D72A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CloseValue
                                                                                • String ID:
                                                                                • API String ID: 3132538880-0
                                                                                • Opcode ID: 313e820191d6a17efce03ac4042355d0919c61b32dd69b7567175856ecee4810
                                                                                • Instruction ID: 29af7690e5c38fa416ba14646959ebf98676f47912ccfeb7bf81c7cbe057fa94
                                                                                • Opcode Fuzzy Hash: 313e820191d6a17efce03ac4042355d0919c61b32dd69b7567175856ecee4810
                                                                                • Instruction Fuzzy Hash: 73B00235804514DBCA591BD09B085987A71A745315B1305B9E686B00618B390A6ABE5F
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.0000000002518000.00000040.00001000.00020000.00000000.sdmp, Offset: 02518000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2518000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: InternetOpen
                                                                                • String ID:
                                                                                • API String ID: 2038078732-0
                                                                                • Opcode ID: 100208f4e19b7d193879f8f0c61b15acb80ff8319b55aef295051e1efa0904f7
                                                                                • Instruction ID: e3e6c825a555f31685d83eeedab2f48e0797c9535e54715dd2f3ff99ba562677
                                                                                • Opcode Fuzzy Hash: 100208f4e19b7d193879f8f0c61b15acb80ff8319b55aef295051e1efa0904f7
                                                                                • Instruction Fuzzy Hash: A92160F250C604AFE705BE59EC867BAB7E4EF54354F16082DE7C187740EA369804CB96
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.0000000002518000.00000040.00001000.00020000.00000000.sdmp, Offset: 02518000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2518000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: ca0c6ca146fd9d012c9e8092c6650098feab3c9322a3b7a6c79329f1ca3c9c64
                                                                                • Instruction ID: 987966a023973ec57b675283565fb1abcde3032d2b381ef1b1b9dac2aaa20741
                                                                                • Opcode Fuzzy Hash: ca0c6ca146fd9d012c9e8092c6650098feab3c9322a3b7a6c79329f1ca3c9c64
                                                                                • Instruction Fuzzy Hash: 33218EB350D214AFE7113E08EC85BFABB94EF89274F06452DEBC403644EA3618008AD7
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.0000000002518000.00000040.00001000.00020000.00000000.sdmp, Offset: 02518000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2518000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 1c7a1d18baa452dcc29aeea3c764b45a1ea12c3ee90d867f5b83ba5de8bfc296
                                                                                • Instruction ID: ff46d5c4072ec742e0da4489adef273b1d80f7c999bdd1f392de779e22e1974e
                                                                                • Opcode Fuzzy Hash: 1c7a1d18baa452dcc29aeea3c764b45a1ea12c3ee90d867f5b83ba5de8bfc296
                                                                                • Instruction Fuzzy Hash: 6B119EF2908210ABD7157E19EC84BBEBBE4FF24260F06093DDAC993340E6724510CAD7
                                                                                APIs
                                                                                • LoadLibraryExA.KERNEL32(?), ref: 004023FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: f68be727870db370a98206250534ae39548d70fabdb1d24159ab4fca929d04e5
                                                                                • Instruction ID: 21b854812733c68381fd21d68b1ef874292472b5a6bc9accb571e162a22c27c3
                                                                                • Opcode Fuzzy Hash: f68be727870db370a98206250534ae39548d70fabdb1d24159ab4fca929d04e5
                                                                                • Instruction Fuzzy Hash: FF01E474E1111A9FDB08DBA8E8A5AEDB771FF08321B148269E4627B390C7785846DF24
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: ManagerOpen
                                                                                • String ID:
                                                                                • API String ID: 1889721586-0
                                                                                • Opcode ID: 6e96ca65abdbad6952fd58b06337b5cd5e33456333f7fda42b36ea32315706cb
                                                                                • Instruction ID: 064e704bbd8412aac4d7f5f0163a00cca26b63e49d473d07579d8507de65079f
                                                                                • Opcode Fuzzy Hash: 6e96ca65abdbad6952fd58b06337b5cd5e33456333f7fda42b36ea32315706cb
                                                                                • Instruction Fuzzy Hash: DEC08C60C08102D9C7010A6048D8839266C0D01340B30583BA003B00F0C23C004EF21E
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CopyFile
                                                                                • String ID:
                                                                                • API String ID: 1304948518-0
                                                                                • Opcode ID: 78e74b33b821ebe6c40827349495967be716cb721700b37edd0b47b4c7bbe45e
                                                                                • Instruction ID: 7f162d5cbb633c9f31433eae4bcc3b3900a8671d7e7a90a59bb3532d37133541
                                                                                • Opcode Fuzzy Hash: 78e74b33b821ebe6c40827349495967be716cb721700b37edd0b47b4c7bbe45e
                                                                                • Instruction Fuzzy Hash: 54C08C30C08009EEC2044AC09D44AB2226C1F0C780BA0243B850BF00D0C63C600E763F
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CopyFile
                                                                                • String ID:
                                                                                • API String ID: 1304948518-0
                                                                                • Opcode ID: d84d5bcdd0237447b505a2d44eb0f669af3ea508bc27d10ce52bee318c88112d
                                                                                • Instruction ID: 11244d39b7258b4811a943e224e22ca69f0764e48d3e9f53bad8cbc0a5d4cf69
                                                                                • Opcode Fuzzy Hash: d84d5bcdd0237447b505a2d44eb0f669af3ea508bc27d10ce52bee318c88112d
                                                                                • Instruction Fuzzy Hash: 95A00262148212FFD94017655F9EB66259A9305705F22803B7BDF754E18EBC018AA61F
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectory
                                                                                • String ID:
                                                                                • API String ID: 4241100979-0
                                                                                • Opcode ID: b0f028416b9730bbc9d9b26313dcbea82983b53ed63b8c74d1fff32d8b6b7db5
                                                                                • Instruction ID: eaec0190266d82a892e4b04aedad8fe0acc92e91c5937e65e3ad50b01b539c2b
                                                                                • Opcode Fuzzy Hash: b0f028416b9730bbc9d9b26313dcbea82983b53ed63b8c74d1fff32d8b6b7db5
                                                                                • Instruction Fuzzy Hash: 2CA0223A888320EBC0800AE00F08828B000080C30C3320033328B300C0C8BE000F3B8F
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 7cf20400a4f78ae06aee0157bd0c474c167ac37dc3b408f11127633962e0d878
                                                                                • Instruction ID: bdbb7794b1833e2797359a130b1b6c0acc811f5710a730536456db756863dd7d
                                                                                • Opcode Fuzzy Hash: 7cf20400a4f78ae06aee0157bd0c474c167ac37dc3b408f11127633962e0d878
                                                                                • Instruction Fuzzy Hash: B1A002219646009AD14037B1AB0AB383D206705705F16417BB297740E19D7911499D1F
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.0000000002518000.00000040.00001000.00020000.00000000.sdmp, Offset: 02518000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_2518000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 9d41689f7fa0b3ea4d17aee8b652dd0445ad45dcf1c1bab1df9007a0437cb8f3
                                                                                • Instruction ID: 5e401cb08b3e9bef372919be56e2df70d86f13631fbce8dccba49b4a6ea9af24
                                                                                • Opcode Fuzzy Hash: 9d41689f7fa0b3ea4d17aee8b652dd0445ad45dcf1c1bab1df9007a0437cb8f3
                                                                                • Instruction Fuzzy Hash: 6EE0267525D30C8BD6412A76FDC867DB7B8BBC0301F00C62EA58001248DE380442868A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 9f9195d45d63d48b5abd8f094cb496ecf3b1e3589fa118e654b215b79e795f29
                                                                                • Instruction ID: c23ae437f7e46f027c00e73e2df6a76666cc512c2616cab67f838082f4de37b6
                                                                                • Opcode Fuzzy Hash: 9f9195d45d63d48b5abd8f094cb496ecf3b1e3589fa118e654b215b79e795f29
                                                                                • Instruction Fuzzy Hash: 5CE020B084C240EDC3039B705E046303A749A01340B31047BA783B71E2E17C590AA6EF
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 94bd9c0c73775213666b7ff3799879ea376a884ed82a198bcd2fc2113cea12c2
                                                                                • Instruction ID: d1be32829be8c25fb69ac799e420d900285b1f3a904822bd6c83d1d0adac077a
                                                                                • Opcode Fuzzy Hash: 94bd9c0c73775213666b7ff3799879ea376a884ed82a198bcd2fc2113cea12c2
                                                                                • Instruction Fuzzy Hash: 8DD0E230808200EACB089BD5EE086B43A70EB04300F21007BD602792E0C3BC194AAA9E
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000), ref: 0040DDF7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 9f9ae99d865edd76993124f9e411f6608f68a553067475294d4c2cc3f120f60b
                                                                                • Instruction ID: 881b39fdf667f8b61f75896a9385ab742011a42009b7996b3e096e674b6729dd
                                                                                • Opcode Fuzzy Hash: 9f9ae99d865edd76993124f9e411f6608f68a553067475294d4c2cc3f120f60b
                                                                                • Instruction Fuzzy Hash: 98C01230815204DB8B044BB486095ACBA74FB10221B4A1A36B882722B0C7794D45B54D
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 4548ab00be09770fe9e065f408897f1248cdd821c64931225f775c8cb730a6ee
                                                                                • Instruction ID: cace5c808a3440a97e2e753a7dd54b8da7bcdd58a7bf96d18be3735adcb1fddb
                                                                                • Opcode Fuzzy Hash: 4548ab00be09770fe9e065f408897f1248cdd821c64931225f775c8cb730a6ee
                                                                                • Instruction Fuzzy Hash: 41C00270949200EAD6049BD5EF0567036B0E704745B32187B9B47BA2E1C7BC690AAAAF
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 17b67c2fe1105983cf24113d7ce321ff4248f16143a2ceb7a824bc0cdca7cbbf
                                                                                • Instruction ID: d5cb0cccf209a54ee825f813e46aca9ea11fb51dbcd08e855185ec41d8002ccd
                                                                                • Opcode Fuzzy Hash: 17b67c2fe1105983cf24113d7ce321ff4248f16143a2ceb7a824bc0cdca7cbbf
                                                                                • Instruction Fuzzy Hash: 5AC00270949200EAD6049B95EF04A7036B0E704745B221477A747B62E0C7BC690AAA9E
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 36022d94325b9c35f9d57278cd49d6468ba13e31d994fee1e25ee0cd0122c971
                                                                                • Instruction ID: d837a9c393e448aecdb9e46e69f1651720a56283099180bc934375061cfc44c1
                                                                                • Opcode Fuzzy Hash: 36022d94325b9c35f9d57278cd49d6468ba13e31d994fee1e25ee0cd0122c971
                                                                                • Instruction Fuzzy Hash: 51C02BA180D3C04FC30207510A080303F300C0213033B08E7C143170E3933D0B09D15F
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000), ref: 0040DDF7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 1ed06133affaf14137d10cd694540a66cf40216ed806ca5d77d637f9b5ff7995
                                                                                • Instruction ID: 64df9cd91369e7f78e6bb1be813c4d1c2f0ba400d2f56f0566ef857d5eb32cbb
                                                                                • Opcode Fuzzy Hash: 1ed06133affaf14137d10cd694540a66cf40216ed806ca5d77d637f9b5ff7995
                                                                                • Instruction Fuzzy Hash: 56C09270945104EBD7048FA0DA49B9CBA71BB04300F114027A802B22D0CB7C5989AA1A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: d76e91c42c7f30503a888a3b073e3f492df5f924e0c098d79268438ded05d8f7
                                                                                • Instruction ID: 69d4437d0a2be428557d66981e2b4e91e6969fcf76ac1e4e5849d48557e160eb
                                                                                • Opcode Fuzzy Hash: d76e91c42c7f30503a888a3b073e3f492df5f924e0c098d79268438ded05d8f7
                                                                                • Instruction Fuzzy Hash: EAB09234144500EBD7044A40DB4CB58BF70A704304F1240A2A342761E286BC9686AA0A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: c60c0574c738ae4281e61e0ad53df22888e9d299d31f51e6ddfa3c22ebb38ca7
                                                                                • Instruction ID: 39dde717736bafe6e04f82aa39057be17a1bb6f2755cbc5a20c21a97f017fec7
                                                                                • Opcode Fuzzy Hash: c60c0574c738ae4281e61e0ad53df22888e9d299d31f51e6ddfa3c22ebb38ca7
                                                                                • Instruction Fuzzy Hash:
                                                                                APIs
                                                                                • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                  • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                • memcmp.MSVCRT ref: 60967D4C
                                                                                • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                • sqlite3_free.SQLITE3 ref: 60968002
                                                                                  • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                  • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                  • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                  • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                  • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                  • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                • sqlite3_step.SQLITE3 ref: 60968139
                                                                                • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                  • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                  • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                  • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                  • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                  • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                • sqlite3_free.SQLITE3 ref: 60969102
                                                                                • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                • String ID: $d
                                                                                • API String ID: 2451604321-2084297493
                                                                                • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                APIs
                                                                                • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                • sqlite3_free.SQLITE3 ref: 60966183
                                                                                • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                • memcmp.MSVCRT ref: 6096639E
                                                                                  • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                  • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                  • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                  • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                • String ID: ASC$DESC$x
                                                                                • API String ID: 4082667235-1162196452
                                                                                • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                APIs
                                                                                • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                  • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                  • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                  • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                  • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                  • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                  • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                • String ID:
                                                                                • API String ID: 961572588-0
                                                                                • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                • String ID: 2$foreign key$indexed
                                                                                • API String ID: 4126863092-702264400
                                                                                • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_stricmp
                                                                                • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                • API String ID: 912767213-1308749736
                                                                                • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                APIs
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                  • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                • String ID:
                                                                                • API String ID: 4082478743-0
                                                                                • Opcode ID: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                • Opcode Fuzzy Hash: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                                • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                APIs
                                                                                  • Part of subcall function 024E8AD5: __EH_prolog.LIBCMT ref: 024E8ADA
                                                                                  • Part of subcall function 024E8AD5: _Allocate.LIBCPMT ref: 024E8B31
                                                                                  • Part of subcall function 024E8AD5: _memmove.LIBCMT ref: 024E8B88
                                                                                • _memset.LIBCMT ref: 024EF939
                                                                                • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 024EF9A2
                                                                                • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 024EF9AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                                • String ID: Unknown error$invalid string position
                                                                                • API String ID: 1854462395-1837348584
                                                                                • Opcode ID: 984cf66268f3bd4f7fa201fb450ddc4bb1f41ece725e5722b1215f38b6ef96cb
                                                                                • Instruction ID: 1a21e904a23d217500085f7c0d27b14a6c90b93a1084fe880e12e7da6a9121bc
                                                                                • Opcode Fuzzy Hash: 984cf66268f3bd4f7fa201fb450ddc4bb1f41ece725e5722b1215f38b6ef96cb
                                                                                • Instruction Fuzzy Hash: A651CD706083419FEB14CF25C890B2FBBE4FB98345F50492EE4929BAA1D771E588CF56
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                  • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                  • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                  • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID: BINARY$INTEGER
                                                                                • API String ID: 317512412-1676293250
                                                                                • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                  • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                  • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                  • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                • String ID:
                                                                                • API String ID: 4038589952-0
                                                                                • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                APIs
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                  • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                • String ID:
                                                                                • API String ID: 247099642-0
                                                                                • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                APIs
                                                                                  • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                  • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                  • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                  • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                  • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                • String ID:
                                                                                • API String ID: 326482775-0
                                                                                • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1477753154-0
                                                                                • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,024F3AF6,?,?,?,00000001), ref: 024F80DF
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 024F80E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 16b788573c6ec40bc2efab87866d205a92c364384b4c6dc4955cb31ccad74ad7
                                                                                • Instruction ID: 47c48839272775ad95a36defbb9e0ddb2ba34e70ad49ae9f6e983821d4025a3a
                                                                                • Opcode Fuzzy Hash: 16b788573c6ec40bc2efab87866d205a92c364384b4c6dc4955cb31ccad74ad7
                                                                                • Instruction Fuzzy Hash: 0FB09231484208ABCB002F91EC6DF6C3F28FB04692FC84820F60E44054ABA25564AEDA
                                                                                APIs
                                                                                  • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1465156292-0
                                                                                • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 024EE86E
                                                                                  • Part of subcall function 024EE6F5: _memmove.LIBCMT ref: 024EE7B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove_memset
                                                                                • String ID:
                                                                                • API String ID: 3555123492-0
                                                                                • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                • Instruction ID: 1b6ed36e283645ee81d9d2df768c5c49449f397530ed7fb9f1c2876148c406ba
                                                                                • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                • Instruction Fuzzy Hash: 4BF082B1A04309AAD704DF9AD942B8DFBB8FB84314F20816AD508A7340E6B07A118B90
                                                                                APIs
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00401D69
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CtrlDispatcherServiceStart
                                                                                • String ID:
                                                                                • API String ID: 3789849863-0
                                                                                • Opcode ID: 21f2862ff9011eeed4d61d0abad1fc7f095a050e4dc13d95ac30eb02035c2d5f
                                                                                • Instruction ID: e6580fb05b07e932b337b46573953338041bf00c0e3ab044fef683c70f022eb2
                                                                                • Opcode Fuzzy Hash: 21f2862ff9011eeed4d61d0abad1fc7f095a050e4dc13d95ac30eb02035c2d5f
                                                                                • Instruction Fuzzy Hash: D4F08C71A0C2998BCB154BA5AE116AB7F71A712301B450077D896B10A6D73D8846EF1E
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CreateService
                                                                                • String ID:
                                                                                • API String ID: 1592570254-0
                                                                                • Opcode ID: 692e9e6f3695da89d05c2fd94b6aa057bd342ffbac8b485b61b8ce6c40b77352
                                                                                • Instruction ID: bcdff23f75bf5180f044257ed2409793c1aeea19345a4fa8a5eb6de440b478b4
                                                                                • Opcode Fuzzy Hash: 692e9e6f3695da89d05c2fd94b6aa057bd342ffbac8b485b61b8ce6c40b77352
                                                                                • Instruction Fuzzy Hash: F9C04C30C04104DACF540FC05A441283A316744310766447AE442735D4C7399C5EA64D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                APIs
                                                                                • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                                                  • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                                                • sqlite3_free.SQLITE3 ref: 6096C67E
                                                                                • sqlite3_free.SQLITE3 ref: 6096CD71
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                                                • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                                                • sqlite3_close.SQLITE3 ref: 6096CD97
                                                                                • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                                                • API String ID: 1320758876-2501389569
                                                                                • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                                                • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                                                APIs
                                                                                • sqlite3_free.SQLITE3 ref: 609264C9
                                                                                • sqlite3_free.SQLITE3 ref: 60926526
                                                                                • sqlite3_free.SQLITE3 ref: 6092652E
                                                                                • sqlite3_free.SQLITE3 ref: 60926550
                                                                                  • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                  • Part of subcall function 6090AFF5: sqlite3_free.SQLITE3 ref: 6090B09A
                                                                                • sqlite3_free.SQLITE3 ref: 60926626
                                                                                • sqlite3_win32_mbcs_to_utf8.SQLITE3 ref: 6092662E
                                                                                • sqlite3_free.SQLITE3 ref: 60926638
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6092666B
                                                                                • sqlite3_free.SQLITE3 ref: 60926673
                                                                                • sqlite3_snprintf.SQLITE3 ref: 609266B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                • API String ID: 937752868-2111127023
                                                                                • Opcode ID: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                • Instruction ID: 28f04709130b2e8b140c84fcd32bad5e17fba194e1ccee1aab8ced89c5ccf9cf
                                                                                • Opcode Fuzzy Hash: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                                • Instruction Fuzzy Hash: EA712E706183058FE700AF69D88465DBFF6AFA5748F00C82DE8999B314E778C845DF92
                                                                                APIs
                                                                                Strings
                                                                                • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                                • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                                • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                                • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                                • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                                • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                                • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                                • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                                • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                                • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                                • BEGIN;, xrefs: 609485DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                                • API String ID: 632333372-52344843
                                                                                • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                                • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 024E1D11
                                                                                • GetLastError.KERNEL32 ref: 024E1D23
                                                                                  • Part of subcall function 024E1712: __EH_prolog.LIBCMT ref: 024E1717
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 024E1D59
                                                                                • GetLastError.KERNEL32 ref: 024E1D6B
                                                                                • __beginthreadex.LIBCMT ref: 024E1DB1
                                                                                • GetLastError.KERNEL32 ref: 024E1DC6
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024E1DDD
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024E1DEC
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 024E1E14
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024E1E1B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                • String ID: thread$thread.entry_event$thread.exit_event
                                                                                • API String ID: 831262434-3017686385
                                                                                • Opcode ID: a444efe57bb50672bd25d70bf18fb6364adca48d6ae76fa2ac653b3ff3144605
                                                                                • Instruction ID: 2fa3f419e9999a7ae0f11eee0d55c6b355e8af3d08dc640e1f2b95f85e2e4d13
                                                                                • Opcode Fuzzy Hash: a444efe57bb50672bd25d70bf18fb6364adca48d6ae76fa2ac653b3ff3144605
                                                                                • Instruction Fuzzy Hash: C0315C71A403019FEB00EF24C894B6F7BA5FB84751F10491EF95A87294EB709C498F92
                                                                                APIs
                                                                                • SetServiceStatus.ADVAPI32(0040BE50), ref: 00401A02
                                                                                • SetEvent.KERNEL32 ref: 00401A0E
                                                                                • RegisterServiceCtrlHandlerA.ADVAPI32(UniversalVideoConverter,004019C8), ref: 00401A25
                                                                                • SetServiceStatus.ADVAPI32(0040BE50), ref: 00401A84
                                                                                • GetLastError.KERNEL32 ref: 00401A86
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00401A93
                                                                                • GetLastError.KERNEL32 ref: 00401AB4
                                                                                • SetServiceStatus.ADVAPI32(0040BE50), ref: 00401AE4
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00001897,00000000,00000000,00000000), ref: 00401AF0
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401AF9
                                                                                • CloseHandle.KERNEL32 ref: 00401B05
                                                                                • SetServiceStatus.ADVAPI32(0040BE50), ref: 00401B2E
                                                                                Strings
                                                                                • UniversalVideoConverter, xrefs: 00401A20
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Service$Status$CreateErrorEventLast$CloseCtrlHandleHandlerObjectRegisterSingleThreadWait
                                                                                • String ID: UniversalVideoConverter
                                                                                • API String ID: 1078627318-971865588
                                                                                • Opcode ID: f6b4af91a6a42d288424cf4edc8857197a7fabf83c516d95e336b10d5a597691
                                                                                • Instruction ID: 488a16a82b8164d47a8ac67fbdf362e083d40e6bb7c0ed821cdc441ae05caad8
                                                                                • Opcode Fuzzy Hash: f6b4af91a6a42d288424cf4edc8857197a7fabf83c516d95e336b10d5a597691
                                                                                • Instruction Fuzzy Hash: 7431A8B1501384ABD310AF26EF48B967BB8EB95B56B11803AE241B23B1C7F90444CBDC
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E24E6
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 024E24FC
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 024E250E
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 024E256D
                                                                                • SetLastError.KERNEL32(00000000,?,774CDFB0), ref: 024E257F
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,774CDFB0), ref: 024E2599
                                                                                • GetLastError.KERNEL32(?,774CDFB0), ref: 024E25A2
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 024E25F0
                                                                                • InterlockedDecrement.KERNEL32(00000002), ref: 024E262F
                                                                                • InterlockedExchange.KERNEL32(00000000,00000000), ref: 024E268E
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024E2699
                                                                                • InterlockedExchange.KERNEL32(00000000,00000001), ref: 024E26AD
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,774CDFB0), ref: 024E26BD
                                                                                • GetLastError.KERNEL32(?,774CDFB0), ref: 024E26C7
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                • String ID:
                                                                                • API String ID: 1213838671-0
                                                                                • Opcode ID: 612f9817907f52d91cbe68c2d64865ac002e29e2250804b5ee4a59604959fc67
                                                                                • Instruction ID: 35cc940718bb6bcc3fe6727ef0d0950e60fc66d9f301931e8bda280e6bfd9ce0
                                                                                • Opcode Fuzzy Hash: 612f9817907f52d91cbe68c2d64865ac002e29e2250804b5ee4a59604959fc67
                                                                                • Instruction Fuzzy Hash: 7C613F71D00209EFEF10DFA5D998AAEBBB9FF08311F50491AE906E7240E7709944CF60
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E4608
                                                                                  • Part of subcall function 024F27B5: _malloc.LIBCMT ref: 024F27CD
                                                                                • htons.WS2_32(?), ref: 024E4669
                                                                                • htonl.WS2_32(?), ref: 024E468C
                                                                                • htonl.WS2_32(00000000), ref: 024E4693
                                                                                • htons.WS2_32(00000000), ref: 024E4747
                                                                                • _sprintf.LIBCMT ref: 024E475D
                                                                                  • Part of subcall function 024E7987: _memmove.LIBCMT ref: 024E79A7
                                                                                • htons.WS2_32(?), ref: 024E46B0
                                                                                  • Part of subcall function 024E8733: __EH_prolog.LIBCMT ref: 024E8738
                                                                                  • Part of subcall function 024E8733: RtlEnterCriticalSection.NTDLL(00000020), ref: 024E87B3
                                                                                  • Part of subcall function 024E8733: RtlLeaveCriticalSection.NTDLL(00000020), ref: 024E87D1
                                                                                  • Part of subcall function 024E1BA7: __EH_prolog.LIBCMT ref: 024E1BAC
                                                                                  • Part of subcall function 024E1BA7: RtlEnterCriticalSection.NTDLL ref: 024E1BBC
                                                                                  • Part of subcall function 024E1BA7: RtlLeaveCriticalSection.NTDLL ref: 024E1BEA
                                                                                  • Part of subcall function 024E1BA7: RtlEnterCriticalSection.NTDLL ref: 024E1C13
                                                                                  • Part of subcall function 024E1BA7: RtlLeaveCriticalSection.NTDLL ref: 024E1C56
                                                                                  • Part of subcall function 024ECEEF: __EH_prolog.LIBCMT ref: 024ECEF4
                                                                                • htonl.WS2_32(?), ref: 024E497C
                                                                                • htonl.WS2_32(00000000), ref: 024E4983
                                                                                • htonl.WS2_32(00000000), ref: 024E49C8
                                                                                • htonl.WS2_32(00000000), ref: 024E49CF
                                                                                • htons.WS2_32(?), ref: 024E49EF
                                                                                • htons.WS2_32(?), ref: 024E49F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                • String ID:
                                                                                • API String ID: 1645262487-0
                                                                                • Opcode ID: f1c7349bf8eb475aa14b3a19948889d4685dbe54f1e0ea496a365b43347d4cfe
                                                                                • Instruction ID: cafbd29b59056deb0ae1f1c6510aa933e511225f2d949be1eddb4ceade6b9dce
                                                                                • Opcode Fuzzy Hash: f1c7349bf8eb475aa14b3a19948889d4685dbe54f1e0ea496a365b43347d4cfe
                                                                                • Instruction Fuzzy Hash: 54023A71C00259EEEF15DFA5C844BEEBBB9BF08306F10455AE546B7280EB745A48CFA1
                                                                                APIs
                                                                                • RtlDecodePointer.NTDLL(?), ref: 024F6EE8
                                                                                • _free.LIBCMT ref: 024F6F01
                                                                                  • Part of subcall function 024F1F74: HeapFree.KERNEL32(00000000,00000000,?,024F4932,00000000,00000104,774D0A60), ref: 024F1F88
                                                                                  • Part of subcall function 024F1F74: GetLastError.KERNEL32(00000000,?,024F4932,00000000,00000104,774D0A60), ref: 024F1F9A
                                                                                • _free.LIBCMT ref: 024F6F14
                                                                                • _free.LIBCMT ref: 024F6F32
                                                                                • _free.LIBCMT ref: 024F6F44
                                                                                • _free.LIBCMT ref: 024F6F55
                                                                                • _free.LIBCMT ref: 024F6F60
                                                                                • _free.LIBCMT ref: 024F6F84
                                                                                • RtlEncodePointer.NTDLL(00809860), ref: 024F6F8B
                                                                                • _free.LIBCMT ref: 024F6FA0
                                                                                • _free.LIBCMT ref: 024F6FB6
                                                                                • _free.LIBCMT ref: 024F6FDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 3064303923-0
                                                                                • Opcode ID: 4e2cbbcf237fb8204bd356f62ff4ad7bbee82f69ebc1827b3a4ebca4f6200907
                                                                                • Instruction ID: 71b8ccc27250b6832a29ea238a046ac58c2c6af102eca6fc09d8e358874cb03d
                                                                                • Opcode Fuzzy Hash: 4e2cbbcf237fb8204bd356f62ff4ad7bbee82f69ebc1827b3a4ebca4f6200907
                                                                                • Instruction Fuzzy Hash: A521F336D45110CFCB90AF66F8805563769EB8472432B592FEA0E9B300C7315868EF6C
                                                                                APIs
                                                                                  • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                  • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                  • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                  • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                  • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                  • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                  • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                • sqlite3_free.SQLITE3 ref: 60960618
                                                                                • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                • String ID: offsets
                                                                                • API String ID: 463808202-2642679573
                                                                                • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E4D8B
                                                                                • RtlEnterCriticalSection.NTDLL(02514FD0), ref: 024E4DB7
                                                                                • RtlLeaveCriticalSection.NTDLL(02514FD0), ref: 024E4DC3
                                                                                  • Part of subcall function 024E4BED: __EH_prolog.LIBCMT ref: 024E4BF2
                                                                                  • Part of subcall function 024E4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 024E4CF2
                                                                                • RtlEnterCriticalSection.NTDLL(02514FD0), ref: 024E4E93
                                                                                • RtlLeaveCriticalSection.NTDLL(02514FD0), ref: 024E4E99
                                                                                • RtlEnterCriticalSection.NTDLL(02514FD0), ref: 024E4EA0
                                                                                • RtlLeaveCriticalSection.NTDLL(02514FD0), ref: 024E4EA6
                                                                                • RtlEnterCriticalSection.NTDLL(02514FD0), ref: 024E50A7
                                                                                • RtlLeaveCriticalSection.NTDLL(02514FD0), ref: 024E50AD
                                                                                • RtlEnterCriticalSection.NTDLL(02514FD0), ref: 024E50B8
                                                                                • RtlLeaveCriticalSection.NTDLL(02514FD0), ref: 024E50C1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 2062355503-0
                                                                                • Opcode ID: 4d1ded5bcdf10d2d389ac64397cfd083b232a2ee835dbd720bd36518e5fa6d60
                                                                                • Instruction ID: 42a6764670306f4ef8e325fc33debb6a554fbd7c1caadc3f735b7ea543ea63e6
                                                                                • Opcode Fuzzy Hash: 4d1ded5bcdf10d2d389ac64397cfd083b232a2ee835dbd720bd36518e5fa6d60
                                                                                • Instruction Fuzzy Hash: 50B16A71D0025DDEEF25DFA4D884BEEBBB5BF04319F10405AE40676280DBB45A49CFA5
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                • String ID:
                                                                                • API String ID: 2903785150-0
                                                                                • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E3428
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 024E346B
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 024E3472
                                                                                • GetLastError.KERNEL32 ref: 024E3486
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 024E34D7
                                                                                • RtlEnterCriticalSection.NTDLL(00000018), ref: 024E34ED
                                                                                • RtlLeaveCriticalSection.NTDLL(00000018), ref: 024E3518
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                • String ID: CancelIoEx$KERNEL32
                                                                                • API String ID: 2902213904-434325024
                                                                                • Opcode ID: 654ad41bd5e3e38e3b8801b829dd1f5bd126ed352e8bfa661092a460a2bb1c66
                                                                                • Instruction ID: 425ad9aa04ad8a022e5b1fbecda2e1c23cefd39141d95031565cc12b3419be61
                                                                                • Opcode Fuzzy Hash: 654ad41bd5e3e38e3b8801b829dd1f5bd126ed352e8bfa661092a460a2bb1c66
                                                                                • Instruction Fuzzy Hash: AD317AB1900205DFEF029F64D894BBA7BF9BF88312F01899AE8069B344D7709905CFA1
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                • String ID:
                                                                                • API String ID: 3556715608-0
                                                                                • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403EF1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408574,?,004085C4,?,?,?,Runtime Error!Program: ), ref: 004060FA
                                                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406112
                                                                                • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00406123
                                                                                • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406130
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                • API String ID: 2238633743-4044615076
                                                                                • Opcode ID: ea984a93ff560351788ad20c29eb99aad13fd5e912c3d8ef3fdbbe59f23fd654
                                                                                • Instruction ID: df2af2c5de4b25a8c2909cb75962e634be7cb6d7c0604ae4ccb63621d4521f2f
                                                                                • Opcode Fuzzy Hash: ea984a93ff560351788ad20c29eb99aad13fd5e912c3d8ef3fdbbe59f23fd654
                                                                                • Instruction Fuzzy Hash: 23018435700211DBC7109FB59FC0A177AE99A99780702053FB686FA2A3DA7888158FAD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                • API String ID: 0-780898
                                                                                • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                • API String ID: 0-2604012851
                                                                                • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                APIs
                                                                                • LCMapStringW.KERNEL32(00000000,00000100,00408640,00000001,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 00406409
                                                                                • LCMapStringA.KERNEL32(00000000,00000100,0040863C,00000001,00000000,00000000,?,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406425
                                                                                • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00405E87,?,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 0040646E
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 004064A6
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004064FE
                                                                                • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 00406514
                                                                                • LCMapStringW.KERNEL32(00000000,?,00405E87,00000000,00405E87,?,?,00405E87,00200020,00000000,?,00000000), ref: 00406547
                                                                                • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004065AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: String$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 352835431-0
                                                                                • Opcode ID: 88284e932c36288a6156d60e9a075990b1961716adce78fc703b9783983f64f7
                                                                                • Instruction ID: c7c9367f903c863ede83e3d284d9543b54c612c6a1cea3deb7ec850cd2334311
                                                                                • Opcode Fuzzy Hash: 88284e932c36288a6156d60e9a075990b1961716adce78fc703b9783983f64f7
                                                                                • Instruction Fuzzy Hash: B0517B71900209FFCF229F58DD49A9F7BB9FB48750F11413AF912B12A0D7398961DBA8
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                  • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                  • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                  • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                • String ID: |
                                                                                • API String ID: 1576672187-2343686810
                                                                                • Opcode ID: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                • Opcode Fuzzy Hash: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                                • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                APIs
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                  • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                • API String ID: 652164897-1572359634
                                                                                • Opcode ID: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                • Opcode Fuzzy Hash: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                                • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E3A
                                                                                • GetStdHandle.KERNEL32(000000F4,00408574,00000000,?,00000000,00000000), ref: 00403F10
                                                                                • WriteFile.KERNEL32(00000000), ref: 00403F17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: File$HandleModuleNameWrite
                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                • API String ID: 3784150691-4022980321
                                                                                • Opcode ID: 32de02305071a764a4faeeef9d8dd67e214c7308779322260feaa114c606003d
                                                                                • Instruction ID: ed3ec3965d8bd69fc4b5d81f244bb244573f08a521b35bb9d91034c0cc4ce6b8
                                                                                • Opcode Fuzzy Hash: 32de02305071a764a4faeeef9d8dd67e214c7308779322260feaa114c606003d
                                                                                • Instruction Fuzzy Hash: 7A319072A002186FDF24EA60CE4AFEA776CAF45305F10057FF584B61D1DAB8AE448A5D
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                • String ID:
                                                                                • API String ID: 2352520524-0
                                                                                • Opcode ID: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                • Opcode Fuzzy Hash: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                                • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                APIs
                                                                                  • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                  • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                  • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                  • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                  • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                  • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                  • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                • String ID: optimize
                                                                                • API String ID: 3659050757-3797040228
                                                                                • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                APIs
                                                                                • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                                • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                                • sqlite3_reset.SQLITE3 ref: 60965556
                                                                                • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                                • sqlite3_free.SQLITE3 ref: 60965714
                                                                                • sqlite3_free.SQLITE3 ref: 6096574B
                                                                                  • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                • sqlite3_free.SQLITE3 ref: 609657AA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 2722129401-0
                                                                                • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                                • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                                APIs
                                                                                • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                  • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                  • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                  • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                • sqlite3_free.SQLITE3 ref: 60964783
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                • String ID:
                                                                                • API String ID: 571598680-0
                                                                                • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040372D
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 00403741
                                                                                • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040376D
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037A5
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037C7
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037E0
                                                                                • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 004037F3
                                                                                • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403831
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1823725401-0
                                                                                • Opcode ID: 29f2d76fac090216a30a5ebb2bb190fa98c47cf692b42f92f5f77d8145aa531c
                                                                                • Instruction ID: d646e254ae1f8dd71c5cd3670e2a02489b7ca9a5ac7c87ef76d14b342e535d81
                                                                                • Opcode Fuzzy Hash: 29f2d76fac090216a30a5ebb2bb190fa98c47cf692b42f92f5f77d8145aa531c
                                                                                • Instruction Fuzzy Hash: 3431D2F35082615ED7203F745D8483BBE9CEA4530AB15453FF981F3280DA795D4286A9
                                                                                APIs
                                                                                • OpenEventA.KERNEL32(00100002,00000000,00000000,AC98CF45), ref: 024F06B0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024F06C5
                                                                                • ResetEvent.KERNEL32(00000000,AC98CF45), ref: 024F06CF
                                                                                • CloseHandle.KERNEL32(00000000,AC98CF45), ref: 024F0704
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,AC98CF45), ref: 024F077A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024F078F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$CreateOpenReset
                                                                                • String ID:
                                                                                • API String ID: 1285874450-0
                                                                                • Opcode ID: be9db79a6428f85e30e46d7ecfe2ff978a67ba22508eb3ba8c56e01402f04bb4
                                                                                • Instruction ID: 2ca7c5871d66ee32dcc8cbba343feab0af652c9dc657d7a268d84719fbea131a
                                                                                • Opcode Fuzzy Hash: be9db79a6428f85e30e46d7ecfe2ff978a67ba22508eb3ba8c56e01402f04bb4
                                                                                • Instruction Fuzzy Hash: 8B415070D00758ABEF60CFA5CC48BAEBBB8BF85714F50425AE918AB385D7709905CF90
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E20AC
                                                                                • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 024E20CD
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024E20D8
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 024E213E
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 024E217A
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 024E2187
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024E21A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                • String ID:
                                                                                • API String ID: 1171374749-0
                                                                                • Opcode ID: 60fa0f85f6d23c658aa47c0e141b4f8dd92207a2d25d405ea09b744bd369cb14
                                                                                • Instruction ID: 89f7faab87cbc4ceb7fea5c53db9ed3e71b4768da1c0d3322f21afc72c4a340c
                                                                                • Opcode Fuzzy Hash: 60fa0f85f6d23c658aa47c0e141b4f8dd92207a2d25d405ea09b744bd369cb14
                                                                                • Instruction Fuzzy Hash: D3414B71504701AFD711DF26C884A6BBBF9FFC8655F404A1EF89A82250D770E909CFA1
                                                                                APIs
                                                                                  • Part of subcall function 024F0ED0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,024F072E,?,?), ref: 024F0EFF
                                                                                  • Part of subcall function 024F0ED0: CloseHandle.KERNEL32(00000000,?,?,024F072E,?,?), ref: 024F0F14
                                                                                  • Part of subcall function 024F0ED0: SetEvent.KERNEL32(00000000,024F072E,?,?), ref: 024F0F27
                                                                                • OpenEventA.KERNEL32(00100002,00000000,00000000,AC98CF45), ref: 024F06B0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024F06C5
                                                                                • ResetEvent.KERNEL32(00000000,AC98CF45), ref: 024F06CF
                                                                                • CloseHandle.KERNEL32(00000000,AC98CF45), ref: 024F0704
                                                                                • __CxxThrowException@8.LIBCMT ref: 024F0735
                                                                                  • Part of subcall function 024F31BA: RaiseException.KERNEL32(?,?,024EEB5E,?,?,?,?,?,?,?,024EEB5E,?,0250ECA8,?), ref: 024F320F
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,AC98CF45), ref: 024F077A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024F078F
                                                                                  • Part of subcall function 024F0C10: GetCurrentProcessId.KERNEL32(?), ref: 024F0C69
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,AC98CF45), ref: 024F079F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                • String ID:
                                                                                • API String ID: 2227236058-0
                                                                                • Opcode ID: 127f976ed00f15a82f687dbf6a83a4e1b49d0621c4721662796d2216f24ffc8b
                                                                                • Instruction ID: b1b977a741d477078882fc826b391a23fa9fed13c742a4d0376c36c8229d7205
                                                                                • Opcode Fuzzy Hash: 127f976ed00f15a82f687dbf6a83a4e1b49d0621c4721662796d2216f24ffc8b
                                                                                • Instruction Fuzzy Hash: 13319270D017589BEF60CBA4CC44BAEB7B9AFC4714F14515AEA18EB286E7309905CF61
                                                                                APIs
                                                                                • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                  • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                • sqlite3_free.SQLITE3 ref: 60963621
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                • String ID:
                                                                                • API String ID: 4276469440-0
                                                                                • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                APIs
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 024E2706
                                                                                • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 024E272B
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02503163), ref: 024E2738
                                                                                  • Part of subcall function 024E1712: __EH_prolog.LIBCMT ref: 024E1717
                                                                                • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 024E2778
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 024E27D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                • String ID: timer
                                                                                • API String ID: 4293676635-1792073242
                                                                                • Opcode ID: 038bed17227a98262bd0fda6a487c4f2a1d394f491ba79ab0ea0cfcc264fccb3
                                                                                • Instruction ID: 83e4f4abf121eba85417cbcaa6345fc698caee95c4a892599d2afe59a3fef582
                                                                                • Opcode Fuzzy Hash: 038bed17227a98262bd0fda6a487c4f2a1d394f491ba79ab0ea0cfcc264fccb3
                                                                                • Instruction Fuzzy Hash: B131C2B1904B05AFE710DF65C885B6BBBE8FB48765F004A2EF85683680E770D854CF95
                                                                                APIs
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                Strings
                                                                                • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                • API String ID: 4080917175-264706735
                                                                                • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                APIs
                                                                                  • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID: library routine called out of sequence$out of memory
                                                                                • API String ID: 2019783549-3029887290
                                                                                • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                APIs
                                                                                • __init_pointers.LIBCMT ref: 024F49F4
                                                                                  • Part of subcall function 024F70B0: RtlEncodePointer.NTDLL(00000000), ref: 024F70B3
                                                                                  • Part of subcall function 024F70B0: __initp_misc_winsig.LIBCMT ref: 024F70CE
                                                                                  • Part of subcall function 024F70B0: GetModuleHandleW.KERNEL32(kernel32.dll,?,0250F248,00000008,00000003,0250EC8C,?,00000001), ref: 024F7E33
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 024F7E47
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 024F7E5A
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 024F7E6D
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 024F7E80
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 024F7E93
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 024F7EA6
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 024F7EB9
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 024F7ECC
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 024F7EDF
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 024F7EF2
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 024F7F05
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 024F7F18
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 024F7F2B
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 024F7F3E
                                                                                  • Part of subcall function 024F70B0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 024F7F51
                                                                                • __mtinitlocks.LIBCMT ref: 024F49F9
                                                                                • __mtterm.LIBCMT ref: 024F4A02
                                                                                  • Part of subcall function 024F4A6A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 024F74E6
                                                                                  • Part of subcall function 024F4A6A: _free.LIBCMT ref: 024F74ED
                                                                                  • Part of subcall function 024F4A6A: RtlDeleteCriticalSection.NTDLL(02511978), ref: 024F750F
                                                                                • __calloc_crt.LIBCMT ref: 024F4A27
                                                                                • __initptd.LIBCMT ref: 024F4A49
                                                                                • GetCurrentThreadId.KERNEL32 ref: 024F4A50
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                • String ID:
                                                                                • API String ID: 3567560977-0
                                                                                • Opcode ID: d4d3553187fff188271293e4f4dd1af33588bac4d1ff9defc04e529416d5bd83
                                                                                • Instruction ID: 9bf8cd26a09f9bd46c8a30d060266c8024596f608b79e6e1cf8e61d15f8e62f3
                                                                                • Opcode Fuzzy Hash: d4d3553187fff188271293e4f4dd1af33588bac4d1ff9defc04e529416d5bd83
                                                                                • Instruction Fuzzy Hash: A9F0F0339887111DE2E47A3A7C02B5B2B829FC2B70F204A1FE350C55C0FF1488016D98
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 024F24DB
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 024F24E2
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 024F24EE
                                                                                • RtlDecodePointer.NTDLL(00000001), ref: 024F250B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                • String ID: RoInitialize$combase.dll
                                                                                • API String ID: 3489934621-340411864
                                                                                • Opcode ID: 4d4c7f34edbc01497056ffc6f7082b0be165da59c88f6aabd4ec500e4c08a071
                                                                                • Instruction ID: 05d189bc093f3496364fbca33747f527430b86311a46c97df7d0bd11539b05c6
                                                                                • Opcode Fuzzy Hash: 4d4c7f34edbc01497056ffc6f7082b0be165da59c88f6aabd4ec500e4c08a071
                                                                                • Instruction Fuzzy Hash: 55E0ED719D0201AEEB509FB2ECCDF253AA8B740746F506820B541D9184D7B4456CAE18
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,024F24B0), ref: 024F25B0
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 024F25B7
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 024F25C2
                                                                                • RtlDecodePointer.NTDLL(024F24B0), ref: 024F25DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                • String ID: RoUninitialize$combase.dll
                                                                                • API String ID: 3489934621-2819208100
                                                                                • Opcode ID: ac836fe9e625c79dafb5d303d20ac114842c7d5d4174624519fb9b59eef3eec7
                                                                                • Instruction ID: f3355e89f354e691567d96522bd3e561dc47cb4ab89462e4fc38f90e29e580f0
                                                                                • Opcode Fuzzy Hash: ac836fe9e625c79dafb5d303d20ac114842c7d5d4174624519fb9b59eef3eec7
                                                                                • Instruction Fuzzy Hash: FBE0BF70DC1200ABEB519F61AC9DB293764B744705F542C24F645EA188EBB8587CAE1C
                                                                                APIs
                                                                                • TlsGetValue.KERNEL32(FFFFFFFF,AC98CF45,?,?,?,?,00000000,025040D8,000000FF,024F11CA), ref: 024F0F6A
                                                                                • TlsSetValue.KERNEL32(FFFFFFFF,024F11CA,?,?,00000000), ref: 024F0FD7
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 024F1001
                                                                                • HeapFree.KERNEL32(00000000), ref: 024F1004
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HeapValue$FreeProcess
                                                                                • String ID:
                                                                                • API String ID: 1812714009-0
                                                                                • Opcode ID: 575d2ba4ac8ed8875ed5d9b96a4b276b1646358745a80325ebbfe036f9607547
                                                                                • Instruction ID: 007538b24762cb4d163880855b0f10d3ba96c6f42944b54b9e9ccec581936922
                                                                                • Opcode Fuzzy Hash: 575d2ba4ac8ed8875ed5d9b96a4b276b1646358745a80325ebbfe036f9607547
                                                                                • Instruction Fuzzy Hash: CB51AE31904284DFDB60CF29C884B2B77E4EBC5764F05865AEA5DABB85D731A804CF91
                                                                                APIs
                                                                                • _ValidateScopeTableHandlers.LIBCMT ref: 02502DA0
                                                                                • __FindPESection.LIBCMT ref: 02502DBA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FindHandlersScopeSectionTableValidate
                                                                                • String ID:
                                                                                • API String ID: 876702719-0
                                                                                • Opcode ID: 5e406d1c2ca66545c5775a341962d781943d8330b92556fc897050dcb5a5f294
                                                                                • Instruction ID: cd066a7401ddba43632d506bb9680c4fbc64eb4471d3cedfcb459f2607ceac45
                                                                                • Opcode Fuzzy Hash: 5e406d1c2ca66545c5775a341962d781943d8330b92556fc897050dcb5a5f294
                                                                                • Instruction Fuzzy Hash: D6A1AE72A406158FDB24CF18CDC97A9BBA6FB88314F584669DC15EB380E730E945CB98
                                                                                APIs
                                                                                • GetStringTypeW.KERNEL32(00000001,00408640,00000001,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 004062BD
                                                                                • GetStringTypeA.KERNEL32(00000000,00000001,0040863C,00000001,?,?,00000000,00000000,00000001), ref: 004062D7
                                                                                • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 0040630B
                                                                                • MultiByteToWideChar.KERNEL32(00405E87,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406343
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406399
                                                                                • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063AB
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: StringType$ByteCharMultiWide
                                                                                • String ID:
                                                                                • API String ID: 3852931651-0
                                                                                • Opcode ID: cf2b00ed6b196f36b683551b44420558e4c124c4ce81df5fbf361f916f1db976
                                                                                • Instruction ID: c24f9c314fd5361508d9a81ca748d23a743e3bd76f11a01e88467cad10db7353
                                                                                • Opcode Fuzzy Hash: cf2b00ed6b196f36b683551b44420558e4c124c4ce81df5fbf361f916f1db976
                                                                                • Instruction Fuzzy Hash: A7418072500219EFDF119F94DE85AAF3F78EB04310F11453AFA52F6290C73989608BA8
                                                                                APIs
                                                                                • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                  • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                • String ID: List of tree roots: $d$|
                                                                                • API String ID: 3709608969-1164703836
                                                                                • Opcode ID: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                • Opcode Fuzzy Hash: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                                • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                APIs
                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 024E1CB1
                                                                                • CloseHandle.KERNEL32(?), ref: 024E1CBA
                                                                                • InterlockedExchangeAdd.KERNEL32(02515264,00000000), ref: 024E1CC6
                                                                                • TerminateThread.KERNEL32(?,00000000), ref: 024E1CD4
                                                                                • QueueUserAPC.KERNEL32(024E1E7C,?,00000000), ref: 024E1CE1
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 024E1CEC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                • String ID:
                                                                                • API String ID: 1946104331-0
                                                                                • Opcode ID: 8cac33b688670aff0b309415e22bb9857ece82194f6f864d4b081aa3216d8b18
                                                                                • Instruction ID: 1b574ecc31d2a0b6cf9df561453268384154d8f2dcf112a84c7b4ffc7826231f
                                                                                • Opcode Fuzzy Hash: 8cac33b688670aff0b309415e22bb9857ece82194f6f864d4b081aa3216d8b18
                                                                                • Instruction Fuzzy Hash: CCF06D31980200AFAB105F96DC49D6B7BB8FB85721740461AF52E82154EB709814DFA4
                                                                                APIs
                                                                                  • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                  • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                  • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                  • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                • String ID: e
                                                                                • API String ID: 786425071-4024072794
                                                                                • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 024E2BE4
                                                                                • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 024E2C07
                                                                                  • Part of subcall function 024E9505: WSAGetLastError.WS2_32(00000000,?,?,024E2A51), ref: 024E9513
                                                                                • WSASetLastError.WS2_32 ref: 024E2CD3
                                                                                • select.WS2_32(?,?,00000000,00000000,00000000), ref: 024E2CE7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Recvselect
                                                                                • String ID: 3'
                                                                                • API String ID: 886190287-280543908
                                                                                • Opcode ID: 812e065a2033621ce50eceafb7a563a59080ab628e50f2c598b16a0c4d53c8dc
                                                                                • Instruction ID: fa45af8d6672250004802a2f0548f21b56e890fa1d2efb2b628ccfdce3539c1a
                                                                                • Opcode Fuzzy Hash: 812e065a2033621ce50eceafb7a563a59080ab628e50f2c598b16a0c4d53c8dc
                                                                                • Instruction Fuzzy Hash: EE417DB19043019FEB10DF75C85476BBBE9AF84356F104E1FE89A87280EBB4D945CB91
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403A70
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                • API String ID: 1385375860-4131005785
                                                                                • Opcode ID: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                • Instruction ID: 8e0d8efe135bd9bd4ab90b631ae35de0fa5087430b450c3f58eab12f6465c816
                                                                                • Opcode Fuzzy Hash: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                • Instruction Fuzzy Hash: BD3102319012886DEB319A745C46B9B7F6C9B02309F2404FBE185F52C3E6389F89CB1D
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_exec
                                                                                • String ID: sqlite_master$sqlite_temp_master$|
                                                                                • API String ID: 2141490097-2247242311
                                                                                • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                APIs
                                                                                • std::exception::exception.LIBCMT ref: 024F097F
                                                                                  • Part of subcall function 024F14D3: std::exception::_Copy_str.LIBCMT ref: 024F14EC
                                                                                  • Part of subcall function 024EFD50: __CxxThrowException@8.LIBCMT ref: 024EFDAE
                                                                                • std::exception::exception.LIBCMT ref: 024F09DE
                                                                                Strings
                                                                                • boost unique_lock has no mutex, xrefs: 024F096E
                                                                                • boost unique_lock owns already the mutex, xrefs: 024F09CD
                                                                                • $, xrefs: 024F09E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                • API String ID: 2140441600-46888669
                                                                                • Opcode ID: e04453d4dd75cf4d3e549edb99f17f37d15d1a7834810c57aa83d0cd220f9d50
                                                                                • Instruction ID: 374b307a49d1227fb676f25a1ff6f34de251b9e9d219975cfc11ae05f3b72263
                                                                                • Opcode Fuzzy Hash: e04453d4dd75cf4d3e549edb99f17f37d15d1a7834810c57aa83d0cd220f9d50
                                                                                • Instruction Fuzzy Hash: 972108B19087809FD750DF25C554B5BBBE9BB88708F004A5EF5A587281D7B5D408CF92
                                                                                APIs
                                                                                • __getptd_noexit.LIBCMT ref: 024F36E0
                                                                                  • Part of subcall function 024F48D2: GetLastError.KERNEL32(774D0A60,774CF550,024F4AC0,024F2033,774CF550,?,024E5A07,00000104,774D0A60,774CF550,ntdll.dll,?,?,?,024E5EE3), ref: 024F48D4
                                                                                  • Part of subcall function 024F48D2: __calloc_crt.LIBCMT ref: 024F48F5
                                                                                  • Part of subcall function 024F48D2: __initptd.LIBCMT ref: 024F4917
                                                                                  • Part of subcall function 024F48D2: GetCurrentThreadId.KERNEL32 ref: 024F491E
                                                                                  • Part of subcall function 024F48D2: SetLastError.KERNEL32(00000000,024E5A07,00000104,774D0A60,774CF550,ntdll.dll,?,?,?,024E5EE3), ref: 024F4936
                                                                                • __calloc_crt.LIBCMT ref: 024F3703
                                                                                • __get_sys_err_msg.LIBCMT ref: 024F3721
                                                                                • __invoke_watson.LIBCMT ref: 024F373E
                                                                                Strings
                                                                                • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 024F36EB, 024F3711
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                                • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                • API String ID: 109275364-798102604
                                                                                • Opcode ID: aa1d5d180f033a0139749daafc61c83ed98e24de54e0560f643eea5c46ac9c74
                                                                                • Instruction ID: 261c79a48e17e8263981808e67b380abe877f834a943569a622ed61affb480a6
                                                                                • Opcode Fuzzy Hash: aa1d5d180f033a0139749daafc61c83ed98e24de54e0560f643eea5c46ac9c74
                                                                                • Instruction Fuzzy Hash: D7F0B476904A9466A7A13D2B5C80A6B7ADDDBC0AA4B0044ABFF4496301EB21DC110694
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E2350
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E2360
                                                                                • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 024E2370
                                                                                • GetLastError.KERNEL32 ref: 024E237A
                                                                                  • Part of subcall function 024E1712: __EH_prolog.LIBCMT ref: 024E1717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID: pqcs
                                                                                • API String ID: 1619523792-2559862021
                                                                                • Opcode ID: 545aaa4b77f2d6ac2e312765e4505c38c8ef8cb3e811a80e6612c39f92894766
                                                                                • Instruction ID: b9c8cd31e4cc19742c5fc8b046d0a46fb5827e40ced3419047ae5e8b9aa802e2
                                                                                • Opcode Fuzzy Hash: 545aaa4b77f2d6ac2e312765e4505c38c8ef8cb3e811a80e6612c39f92894766
                                                                                • Instruction Fuzzy Hash: B5F09070A40308AFEF20AF709C59FBF77BCFB00602B40092AE946C2944F7B099188F90
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E4035
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 024E4042
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 024E4049
                                                                                • std::exception::exception.LIBCMT ref: 024E4063
                                                                                  • Part of subcall function 024E96C6: __EH_prolog.LIBCMT ref: 024E96CB
                                                                                  • Part of subcall function 024E96C6: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 024E96DA
                                                                                  • Part of subcall function 024E96C6: __CxxThrowException@8.LIBCMT ref: 024E96F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 3112922283-2104205924
                                                                                • Opcode ID: 7297ba5c0a27bf611629adaf1718b6e8d5120bcad0a8511b56dea869bc5a982e
                                                                                • Instruction ID: 0ca4bf121cc421fe52944f9ac8fcf07495aa9f260486341ed4acbd3fb514734e
                                                                                • Opcode Fuzzy Hash: 7297ba5c0a27bf611629adaf1718b6e8d5120bcad0a8511b56dea869bc5a982e
                                                                                • Instruction Fuzzy Hash: D7F05E71D4024AEBDB00EFE1CD88BEF77B8FB04301F004459E915A6280DB3441188F95
                                                                                APIs
                                                                                  • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                  • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                  • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                  • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                  • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                • String ID:
                                                                                • API String ID: 683514883-0
                                                                                • Opcode ID: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                • Opcode Fuzzy Hash: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                                • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                APIs
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                  • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                  • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                  • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                  • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                  • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                • String ID:
                                                                                • API String ID: 1903298374-0
                                                                                • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                APIs
                                                                                • GetStartupInfoA.KERNEL32(?), ref: 0040389D
                                                                                • GetFileType.KERNEL32(00000800), ref: 00403943
                                                                                • GetStdHandle.KERNEL32(-000000F6), ref: 0040399C
                                                                                • GetFileType.KERNEL32(00000000), ref: 004039AA
                                                                                • SetHandleCount.KERNEL32 ref: 004039E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandleType$CountInfoStartup
                                                                                • String ID:
                                                                                • API String ID: 1710529072-0
                                                                                • Opcode ID: 8d0a60c3e4ac118d2a900155c67ad164fc617dcd942d9939c19efbd45a80342d
                                                                                • Instruction ID: f62a53ccb3921abde3b71b62465be81688a6b50f354c2269ba15f2c38ec8df3a
                                                                                • Opcode Fuzzy Hash: 8d0a60c3e4ac118d2a900155c67ad164fc617dcd942d9939c19efbd45a80342d
                                                                                • Instruction Fuzzy Hash: 395148B25146408BC7208F29C9887267F98BB02326F05873AE496FB3E1D7B8DA05C709
                                                                                APIs
                                                                                  • Part of subcall function 024F0A50: CloseHandle.KERNEL32(00000000,AC98CF45), ref: 024F0AA1
                                                                                  • Part of subcall function 024F0A50: WaitForSingleObject.KERNEL32(?,000000FF,AC98CF45,?,?,?,?,AC98CF45,024F0A23,AC98CF45), ref: 024F0AB8
                                                                                • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 024F0D1E
                                                                                • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 024F0D3E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 024F0D77
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 024F0DCB
                                                                                • SetEvent.KERNEL32(?), ref: 024F0DD2
                                                                                  • Part of subcall function 024E418C: CloseHandle.KERNEL32(00000000,?,024F0D05), ref: 024E41B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 4166353394-0
                                                                                • Opcode ID: ef1fd7aa6c20bb9bd2d4d6f69d372e00252616f9569174c4c4a728ae68415d9f
                                                                                • Instruction ID: 7a35afe62fae5815d3ad476bed858fa8b81196dfd381103e07ec4a9ba7d5d12e
                                                                                • Opcode Fuzzy Hash: ef1fd7aa6c20bb9bd2d4d6f69d372e00252616f9569174c4c4a728ae68415d9f
                                                                                • Instruction Fuzzy Hash: 644116326013019FDB669F29CC80B2777A4EFC5324F14066AED19EB38AD736E8158B95
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E20AC
                                                                                • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 024E20CD
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024E20D8
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 024E213E
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024E21A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                • String ID:
                                                                                • API String ID: 1611172436-0
                                                                                • Opcode ID: 5058e88f5e6027b81630459e47f818267ba622bdded93e22f5cdd0202b509189
                                                                                • Instruction ID: 4f1e7dfaba755e36c067af43077962483248a488781440143d31a9c61d0c3107
                                                                                • Opcode Fuzzy Hash: 5058e88f5e6027b81630459e47f818267ba622bdded93e22f5cdd0202b509189
                                                                                • Instruction Fuzzy Hash: 1B318B71504701AFD711DF25D884A6BB7F9FFC8611F040A1EA89683250D770E906CFA2
                                                                                APIs
                                                                                  • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                • String ID:
                                                                                • API String ID: 1894464702-0
                                                                                • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024ED0FC
                                                                                  • Part of subcall function 024E1A01: TlsGetValue.KERNEL32 ref: 024E1A0A
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024ED17B
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 024ED197
                                                                                • InterlockedIncrement.KERNEL32(025130F0), ref: 024ED1BC
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 024ED1D1
                                                                                  • Part of subcall function 024E27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 024E284E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                • String ID:
                                                                                • API String ID: 1578506061-0
                                                                                • Opcode ID: 5d9374dc502d8cde2325cbf93ca31f9790664997d74aa94176e6a3ca4b589386
                                                                                • Instruction ID: 3f6d24712618e5b2bd6abe77b292760d7c2be46b6731697345704ab7179c2fb4
                                                                                • Opcode Fuzzy Hash: 5d9374dc502d8cde2325cbf93ca31f9790664997d74aa94176e6a3ca4b589386
                                                                                • Instruction Fuzzy Hash: DD3135B1D00305DFDB10DFA9C984AAEBBF8BB08311F00895ED84AD7640E774AA04CFA4
                                                                                APIs
                                                                                  • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                • sqlite3_log.SQLITE3 ref: 60925406
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                • String ID:
                                                                                • API String ID: 3336957480-0
                                                                                • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                APIs
                                                                                • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                • String ID:
                                                                                • API String ID: 3091402450-0
                                                                                • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 024E2A3B
                                                                                • closesocket.WS2_32 ref: 024E2A42
                                                                                • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 024E2A89
                                                                                • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 024E2A97
                                                                                • closesocket.WS2_32 ref: 024E2A9E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                • String ID:
                                                                                • API String ID: 1561005644-0
                                                                                • Opcode ID: 59ae7c5c118c74811ab3fc93e8a44c897ea8c133436cf486936cd683e6151e78
                                                                                • Instruction ID: 06c3edc91421319328cad569b3d9fb7febb7cf432a63fa91aa93c4e2d01f7901
                                                                                • Opcode Fuzzy Hash: 59ae7c5c118c74811ab3fc93e8a44c897ea8c133436cf486936cd683e6151e78
                                                                                • Instruction Fuzzy Hash: 6021C471E00205AFFF20DFB8984476F76ADAF84316F11496FE857C3281EBB089448B61
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                • String ID:
                                                                                • API String ID: 251237202-0
                                                                                • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E1BAC
                                                                                • RtlEnterCriticalSection.NTDLL ref: 024E1BBC
                                                                                • RtlLeaveCriticalSection.NTDLL ref: 024E1BEA
                                                                                • RtlEnterCriticalSection.NTDLL ref: 024E1C13
                                                                                • RtlLeaveCriticalSection.NTDLL ref: 024E1C56
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                • String ID:
                                                                                • API String ID: 1633115879-0
                                                                                • Opcode ID: 39722091ee5734b655cc3f233b11133a434f9dd817401f09a73e5b8e744b883e
                                                                                • Instruction ID: 9dff9fdf568aa2bcd2483c4f4c22c2c4e536383095032db24958b55cf5f425dc
                                                                                • Opcode Fuzzy Hash: 39722091ee5734b655cc3f233b11133a434f9dd817401f09a73e5b8e744b883e
                                                                                • Instruction Fuzzy Hash: 2C219A75A40204AFEB14CF68C888BAABBB5FF48315F10854AE81E97300D771ED05CBE0
                                                                                APIs
                                                                                • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                • String ID:
                                                                                • API String ID: 4225432645-0
                                                                                • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 024FE8A0
                                                                                  • Part of subcall function 024F1FAC: __FF_MSGBANNER.LIBCMT ref: 024F1FC3
                                                                                  • Part of subcall function 024F1FAC: __NMSG_WRITE.LIBCMT ref: 024F1FCA
                                                                                  • Part of subcall function 024F1FAC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 024F1FEF
                                                                                • _free.LIBCMT ref: 024FE8B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free_malloc
                                                                                • String ID:
                                                                                • API String ID: 1020059152-0
                                                                                • Opcode ID: 571d5432e1984e12c965d9db47e21c4883006f76e8210d2ad3ad9b9e28955186
                                                                                • Instruction ID: 0c74d6a5b8749ed493ec7e1e44cde58857b17c4efa35c7f40c7d18def4685025
                                                                                • Opcode Fuzzy Hash: 571d5432e1984e12c965d9db47e21c4883006f76e8210d2ad3ad9b9e28955186
                                                                                • Instruction Fuzzy Hash: 8511AB32E04215AFCFE13F75A844B5B3795AFC4361B50452BFF4997260EF3484519AA4
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E21DA
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024E21ED
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 024E2224
                                                                                • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 024E2237
                                                                                • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 024E2261
                                                                                  • Part of subcall function 024E2341: InterlockedExchange.KERNEL32(?,00000001), ref: 024E2350
                                                                                  • Part of subcall function 024E2341: InterlockedExchange.KERNEL32(?,00000001), ref: 024E2360
                                                                                  • Part of subcall function 024E2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 024E2370
                                                                                  • Part of subcall function 024E2341: GetLastError.KERNEL32 ref: 024E237A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1856819132-0
                                                                                • Opcode ID: a8b308c70f3bb0e102b57446fda6dd56c614c9e2737093acf39c59b3e4088bf6
                                                                                • Instruction ID: 731c708b1ca603c70f992b11b6db970f775a75577c338eb3d7e6381133228a0e
                                                                                • Opcode Fuzzy Hash: a8b308c70f3bb0e102b57446fda6dd56c614c9e2737093acf39c59b3e4088bf6
                                                                                • Instruction Fuzzy Hash: F9118C72D00114EBEF11DFA5D844AAEBBBAFF44301B00451BEC1296260E7B18A65DF95
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E229D
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024E22B0
                                                                                • TlsGetValue.KERNEL32 ref: 024E22E7
                                                                                • TlsSetValue.KERNEL32(?), ref: 024E2300
                                                                                • TlsSetValue.KERNEL32(?,?,?), ref: 024E231C
                                                                                  • Part of subcall function 024E2341: InterlockedExchange.KERNEL32(?,00000001), ref: 024E2350
                                                                                  • Part of subcall function 024E2341: InterlockedExchange.KERNEL32(?,00000001), ref: 024E2360
                                                                                  • Part of subcall function 024E2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 024E2370
                                                                                  • Part of subcall function 024E2341: GetLastError.KERNEL32 ref: 024E237A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 1856819132-0
                                                                                • Opcode ID: aec6df868b182753f8b96313d3fba9538cd3c1a755967224b9610af6daec8a9b
                                                                                • Instruction ID: 2a988875176e838b9ec6f7814258eb8729b067063d4e037fb39dd58adc0a4737
                                                                                • Opcode Fuzzy Hash: aec6df868b182753f8b96313d3fba9538cd3c1a755967224b9610af6daec8a9b
                                                                                • Instruction Fuzzy Hash: FD115E72D00119EBDF05DFA5DC44AAEBBBAFF84310F04451BE801A3250D7B18965DF94
                                                                                APIs
                                                                                  • Part of subcall function 024EA161: __EH_prolog.LIBCMT ref: 024EA166
                                                                                • __CxxThrowException@8.LIBCMT ref: 024EAD2B
                                                                                  • Part of subcall function 024F31BA: RaiseException.KERNEL32(?,?,024EEB5E,?,?,?,?,?,?,?,024EEB5E,?,0250ECA8,?), ref: 024F320F
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,0250FA1C,?,00000001), ref: 024EAD41
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024EAD54
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,0250FA1C,?,00000001), ref: 024EAD64
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 024EAD72
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                • String ID:
                                                                                • API String ID: 2725315915-0
                                                                                • Opcode ID: 63fdb9ff5ca5e30f7bf5bb4f7563a8defe108a17ba6c2e8da1cd5bf4e38d228f
                                                                                • Instruction ID: 29c6e7ba39aa49ab18a8d27afada3bc84d31c548ee0f4848afab47fd0bcde892
                                                                                • Opcode Fuzzy Hash: 63fdb9ff5ca5e30f7bf5bb4f7563a8defe108a17ba6c2e8da1cd5bf4e38d228f
                                                                                • Instruction Fuzzy Hash: AE01D672A40214AFEF109EA0DCD8F9F77ADFB04326B448815F612D7290EB60E8088B50
                                                                                APIs
                                                                                • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 024E2432
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 024E2445
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 024E2454
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E2469
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 024E2470
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 747265849-0
                                                                                • Opcode ID: bb3994eae40866d68ceb38492c5ea699461b515312bf7c2d83eca2dc5eb7b594
                                                                                • Instruction ID: 8870de41a77804ff0d3d69d50cd59c24cacc62b7e83c6839ff80367be2523d15
                                                                                • Opcode Fuzzy Hash: bb3994eae40866d68ceb38492c5ea699461b515312bf7c2d83eca2dc5eb7b594
                                                                                • Instruction Fuzzy Hash: 30F06D72640204BBEA00AEA0ED9DFEA772CFF04712FC04412F701D6084E7A1A528CBE4
                                                                                APIs
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 024E1ED2
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 024E1EEA
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 024E1EF9
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E1F0E
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 024E1F15
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 830998967-0
                                                                                • Opcode ID: 3a164a674c3d5350d381c1b468f6d70de3a8848fedd163b832f29bf49f52ff7c
                                                                                • Instruction ID: dae6b9b3bf85d4e57309cf61d0660e895193f9254b7fbf9c9979071766d2c174
                                                                                • Opcode Fuzzy Hash: 3a164a674c3d5350d381c1b468f6d70de3a8848fedd163b832f29bf49f52ff7c
                                                                                • Instruction Fuzzy Hash: F3F09032640504BFDB00AFA1ED98FEA776CFF04301F800416F60286444E771A568CFE4
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: ($string or blob too big$|
                                                                                • API String ID: 632333372-2398534278
                                                                                • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memmove
                                                                                • String ID: invalid string position$string too long
                                                                                • API String ID: 4104443479-4289949731
                                                                                • Opcode ID: 09b4c01a814134498ffdec503ca95372f0caf1b09207d6217ccc4e7f2d38a05d
                                                                                • Instruction ID: 40f4a2578201876fb735724783a8763252624ac912714a6d4980481bf8a0ce9b
                                                                                • Opcode Fuzzy Hash: 09b4c01a814134498ffdec503ca95372f0caf1b09207d6217ccc4e7f2d38a05d
                                                                                • Instruction Fuzzy Hash: 4D41B3317007009BFF24DE69C881A6AF7AAEF51776B10092EE957CB381C770E845C790
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 024E30C3
                                                                                • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 024E3102
                                                                                • _memcmp.LIBCMT ref: 024E3141
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressErrorLastString_memcmp
                                                                                • String ID: 255.255.255.255
                                                                                • API String ID: 1618111833-2422070025
                                                                                • Opcode ID: 7c9dd38f77f1859a29402bde3755d2fb5536cfdf4015412231cd18ec51da641f
                                                                                • Instruction ID: b5662bc35afef64fb67c2b4103705016f9aa9909743f1773d115a65c53a912ee
                                                                                • Opcode Fuzzy Hash: 7c9dd38f77f1859a29402bde3755d2fb5536cfdf4015412231cd18ec51da641f
                                                                                • Instruction Fuzzy Hash: A631E171E003049FEF229F65C88076FBBA5AF41356F1186AFE85697380DB7298458F90
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$Protect$Query
                                                                                • String ID: @
                                                                                • API String ID: 3618607426-2766056989
                                                                                • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                APIs
                                                                                • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                  • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                • String ID: d
                                                                                • API String ID: 211589378-2564639436
                                                                                • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E1F5B
                                                                                • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 024E1FC5
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 024E1FD2
                                                                                  • Part of subcall function 024E1712: __EH_prolog.LIBCMT ref: 024E1717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                • String ID: iocp
                                                                                • API String ID: 998023749-976528080
                                                                                • Opcode ID: 643f9fb0937a808053c49e723f95d79c7ae1719455451f153afd8bc25640ab71
                                                                                • Instruction ID: ea8482dccc8167ebb5e09bcfffe9b95290809845ab43c92a39c96b6346ef79d9
                                                                                • Opcode Fuzzy Hash: 643f9fb0937a808053c49e723f95d79c7ae1719455451f153afd8bc25640ab71
                                                                                • Instruction Fuzzy Hash: CF21E5B1901B449FCB20DF6AC94455BFBF8FF94720B108A1FD4AA83A90D7B0A604CF95
                                                                                APIs
                                                                                • ExitProcess.KERNEL32 ref: 00401935
                                                                                • CreateFileA.KERNEL32(C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe), ref: 00401BF9
                                                                                • CloseHandle.KERNEL32(?), ref: 004022F2
                                                                                Strings
                                                                                • C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe, xrefs: 004018D0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateExitFileHandleProcess
                                                                                • String ID: C:\Users\user\AppData\Local\Universal Video Converter 5.3.12\universalvc22.exe
                                                                                • API String ID: 2570545808-2917538454
                                                                                • Opcode ID: 76cd1e8ac3a84e0c29b0d4ea2582deca0a818ae9f2f3c0a6fdaec00d1f1614bf
                                                                                • Instruction ID: 7b011ca66b1ad46648ac479e4c7e1442566e9f7b11a923988c3c80f47a810d8d
                                                                                • Opcode Fuzzy Hash: 76cd1e8ac3a84e0c29b0d4ea2582deca0a818ae9f2f3c0a6fdaec00d1f1614bf
                                                                                • Instruction Fuzzy Hash: FEF0F431814214CFDB514B508E096E43734A726311F2141F7D942B11B1DB790A8BAA1E
                                                                                APIs
                                                                                • _malloc.LIBCMT ref: 024F27CD
                                                                                  • Part of subcall function 024F1FAC: __FF_MSGBANNER.LIBCMT ref: 024F1FC3
                                                                                  • Part of subcall function 024F1FAC: __NMSG_WRITE.LIBCMT ref: 024F1FCA
                                                                                  • Part of subcall function 024F1FAC: RtlAllocateHeap.NTDLL(00800000,00000000,00000001), ref: 024F1FEF
                                                                                • std::exception::exception.LIBCMT ref: 024F27EB
                                                                                • __CxxThrowException@8.LIBCMT ref: 024F2800
                                                                                  • Part of subcall function 024F31BA: RaiseException.KERNEL32(?,?,024EEB5E,?,?,?,?,?,?,?,024EEB5E,?,0250ECA8,?), ref: 024F320F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 3074076210-2104205924
                                                                                • Opcode ID: 9fa5f6f10b8b69f649ea14afebb734bc8623f77689b8a7cde17b6a02f33f4b88
                                                                                • Instruction ID: 845134e8c60325bd6ee7898458998ff3d46afdf45d2bea78b035fa580d90819d
                                                                                • Opcode Fuzzy Hash: 9fa5f6f10b8b69f649ea14afebb734bc8623f77689b8a7cde17b6a02f33f4b88
                                                                                • Instruction Fuzzy Hash: 6AE0E53450020EA6DF40FF61CD50DEF77ADBB80300F00049B9E14666C0EF718A5489A1
                                                                                APIs
                                                                                • GetCommandLineW.KERNEL32 ref: 0040DDBD
                                                                                • CommandLineToArgvW.SHELL32(00000000), ref: 0040DDC4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CommandLine$Argv
                                                                                • String ID: entV$ersi
                                                                                • API String ID: 1106129467-2833038364
                                                                                • Opcode ID: ce1a49027dcbe63648243211dbb37180be988ca4cfd78a18ccc818f201f7aca5
                                                                                • Instruction ID: 3a7c637b7b65e1f21ed5d09f15454af6a27b1de3f35f4ba25341a12657080d20
                                                                                • Opcode Fuzzy Hash: ce1a49027dcbe63648243211dbb37180be988ca4cfd78a18ccc818f201f7aca5
                                                                                • Instruction Fuzzy Hash: 85E0D870C09BA4DFD3309F60CA08A897F70BB05745B144DBEDDD26B682CB39D449CA49
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E37B6
                                                                                • __localtime64.LIBCMT ref: 024E37C1
                                                                                  • Part of subcall function 024F1600: __gmtime64_s.LIBCMT ref: 024F1613
                                                                                • std::exception::exception.LIBCMT ref: 024E37D9
                                                                                  • Part of subcall function 024F14D3: std::exception::_Copy_str.LIBCMT ref: 024F14EC
                                                                                  • Part of subcall function 024E9524: __EH_prolog.LIBCMT ref: 024E9529
                                                                                  • Part of subcall function 024E9524: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 024E9538
                                                                                  • Part of subcall function 024E9524: __CxxThrowException@8.LIBCMT ref: 024E9557
                                                                                Strings
                                                                                • could not convert calendar time to UTC time, xrefs: 024E37CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                • String ID: could not convert calendar time to UTC time
                                                                                • API String ID: 1963798777-2088861013
                                                                                • Opcode ID: 757e8d8b6fde5894dee519058001ee4c4843ce237e9519a69a010f55703e2b30
                                                                                • Instruction ID: 7d40c99c8c1ee7b8d36b27a467b478aafb544e1793bdb51347ddc07406537176
                                                                                • Opcode Fuzzy Hash: 757e8d8b6fde5894dee519058001ee4c4843ce237e9519a69a010f55703e2b30
                                                                                • Instruction Fuzzy Hash: 52E06DB6D0020AEBEF00EF91DC857FFB7B9FB44341F00859AD829A2280DB3586158F84
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                • API String ID: 1646373207-2713375476
                                                                                • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(KERNEL32,004028E9), ref: 00402CCF
                                                                                • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00402CDF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                • API String ID: 1646373207-3105848591
                                                                                • Opcode ID: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                • Instruction ID: 2adebd830dd3b14d64e79f2d4f5eff8f6aaaa0a0dfbfbc424d90c26f206a1370
                                                                                • Opcode Fuzzy Hash: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                • Instruction Fuzzy Hash: 8EC01220388602ABFE902BB14F0EB2A21082F00B82F14407E6589F02C0CEBCC008903D
                                                                                APIs
                                                                                • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403BAA), ref: 004047AD
                                                                                • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403BAA), ref: 004047D1
                                                                                • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403BAA), ref: 004047EB
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403BAA), ref: 004048AC
                                                                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403BAA), ref: 004048C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual$FreeHeap
                                                                                • String ID:
                                                                                • API String ID: 714016831-0
                                                                                • Opcode ID: cdae8ae5a690afa4d4f5a0e9c68b0154a05ea86f62aef1c42ef49f39af8a83b4
                                                                                • Instruction ID: 6e3f28a325fdea7f1120dddc177c98cba6358bc66e7b898124441de81bb44451
                                                                                • Opcode Fuzzy Hash: cdae8ae5a690afa4d4f5a0e9c68b0154a05ea86f62aef1c42ef49f39af8a83b4
                                                                                • Instruction Fuzzy Hash: 023104B65407019FD3309F24DD84B62B7E0EB88B54F10CA3AEA95B76D1D778A8448B5C
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdjustPointer_memmove
                                                                                • String ID:
                                                                                • API String ID: 1721217611-0
                                                                                • Opcode ID: a066bce1af3dc67c3580a0d3b09217781ddb843b14ffdd09ea3933c7123f7b5d
                                                                                • Instruction ID: d92b9b5e28dfaeed0999c33a85f198f7d3b0b2a851ecb600743bb6787c4013ef
                                                                                • Opcode Fuzzy Hash: a066bce1af3dc67c3580a0d3b09217781ddb843b14ffdd09ea3933c7123f7b5d
                                                                                • Instruction Fuzzy Hash: DE4194366043429EEBB85E26E940B7B37E5EF85314F24001FEB448AAD0EF62E490CA10
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,024E4149), ref: 024F03BF
                                                                                  • Part of subcall function 024E3FDC: __EH_prolog.LIBCMT ref: 024E3FE1
                                                                                  • Part of subcall function 024E3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 024E3FF3
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024F03B4
                                                                                • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,024E4149), ref: 024F0400
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,024E4149), ref: 024F04D1
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$Event$CreateH_prolog
                                                                                • String ID:
                                                                                • API String ID: 2825413587-0
                                                                                • Opcode ID: cb5b3f2a606af18dd8550c2ac90af81606eac06a0bb76988c205f7ccd302692b
                                                                                • Instruction ID: 183ba0a653b94b0409ecb4ec4e02c624e7ee7f9e7483fd8b84e2ff55acf283d2
                                                                                • Opcode Fuzzy Hash: cb5b3f2a606af18dd8550c2ac90af81606eac06a0bb76988c205f7ccd302692b
                                                                                • Instruction Fuzzy Hash: 8251DD716003058BDB20DF28C884B5B7BE5BFC8328F19561AEE69A7396E735D805CF91
                                                                                APIs
                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 024FE2DB
                                                                                • __isleadbyte_l.LIBCMT ref: 024FE309
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 024FE337
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 024FE36D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                • String ID:
                                                                                • API String ID: 3058430110-0
                                                                                • Opcode ID: 42b8aefea2d57a362fe5b2514ecf6747a5b950144b95773845d4c44c89560af2
                                                                                • Instruction ID: b20494f351991c3f9ba80243a5709d06cfcc22bd2afadef362075e30d5b1cd8f
                                                                                • Opcode Fuzzy Hash: 42b8aefea2d57a362fe5b2514ecf6747a5b950144b95773845d4c44c89560af2
                                                                                • Instruction Fuzzy Hash: 3531D431700246EFDB618E79C848B6B7BB5FF81316F06442AEA548B2A0E770D851DB50
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                • String ID:
                                                                                • API String ID: 1648232842-0
                                                                                • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 024FDDC7
                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,00000001,?,?,?,?), ref: 024FDE24
                                                                                • GetLastError.KERNEL32(?,?,00000001,?,?,?,?), ref: 024FDE40
                                                                                • _memset.LIBCMT ref: 024FDE56
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _memset$ByteCharErrorLastMultiWide
                                                                                • String ID:
                                                                                • API String ID: 773584764-0
                                                                                • Opcode ID: ec0ff57dbc47f8db7dd527b0cf8eba21427496b446db4936e5de96a2b7044e07
                                                                                • Instruction ID: 633de6cadea9397625a763c04d966d02cab3c131a40edae259f88af660395f08
                                                                                • Opcode Fuzzy Hash: ec0ff57dbc47f8db7dd527b0cf8eba21427496b446db4936e5de96a2b7044e07
                                                                                • Instruction Fuzzy Hash: 6E219576E00740EBDBA15F658854BEB3B65EFC2754F0440ABEA054A340EB718945CBA1
                                                                                APIs
                                                                                • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                  • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                • String ID:
                                                                                • API String ID: 3429445273-0
                                                                                • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                APIs
                                                                                • htons.WS2_32(?), ref: 024E3DA2
                                                                                  • Part of subcall function 024E3BD3: __EH_prolog.LIBCMT ref: 024E3BD8
                                                                                  • Part of subcall function 024E3BD3: std::bad_exception::bad_exception.LIBCMT ref: 024E3BED
                                                                                • htonl.WS2_32(00000000), ref: 024E3DB9
                                                                                • htonl.WS2_32(00000000), ref: 024E3DC0
                                                                                • htons.WS2_32(?), ref: 024E3DD4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                • String ID:
                                                                                • API String ID: 3882411702-0
                                                                                • Opcode ID: f72409d1f14b2d04b401f62285f2afc7bdd5815d266686345a1e54ccbc0f0f74
                                                                                • Instruction ID: f10d7c7aadf86e9599ec726cd8034dafc553cbfed181646d0b777d585aaecc80
                                                                                • Opcode Fuzzy Hash: f72409d1f14b2d04b401f62285f2afc7bdd5815d266686345a1e54ccbc0f0f74
                                                                                • Instruction Fuzzy Hash: 6B117035900208EFDF019F64D885A6ABBB9FF08311F0084AAFD05DF245E6719E54DBA5
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1477753154-0
                                                                                • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                APIs
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 024E23D0
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 024E23DE
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E2401
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 024E2408
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 4018804020-0
                                                                                • Opcode ID: 61e51f55ed6819394e02cf4d5e8c16aeda43c867ed85e1507bd575f7f1ea1ad7
                                                                                • Instruction ID: 86a25e484ba3f5e749b807836791f2c974c7f9163f1db1982c3582f605ac0ab3
                                                                                • Opcode Fuzzy Hash: 61e51f55ed6819394e02cf4d5e8c16aeda43c867ed85e1507bd575f7f1ea1ad7
                                                                                • Instruction Fuzzy Hash: 2111AC71600204ABEB10DF61DD84FABB7ACFF4070AF50446EE9029A240E7B1E855DFA0
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 024E2EEE
                                                                                • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 024E2EFD
                                                                                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 024E2F0C
                                                                                • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 024E2F36
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Socketsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 2093263913-0
                                                                                • Opcode ID: 36a200518fede1157b7794fef9a2eeb8c6a3cb2702fc5e351713986da57db2af
                                                                                • Instruction ID: c4bb153c050621502096866ce2c81efc75d536e43e1e23155b021a08e4048ea8
                                                                                • Opcode Fuzzy Hash: 36a200518fede1157b7794fef9a2eeb8c6a3cb2702fc5e351713986da57db2af
                                                                                • Instruction Fuzzy Hash: 8F018D71A00204BFDB209F65DC88B5B7BADEF85772F008566F915C7145D7708C04DBA0
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                • String ID:
                                                                                • API String ID: 3016257755-0
                                                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                • Instruction ID: 5df4624961211c825accd7434c5887af8d5c17bb1ef2acf04d08392029f5db6d
                                                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                • Instruction Fuzzy Hash: AC01393600015ABBCF926E94CD518EE3F67BB49354B4A8416FB1859221D336C9B2AB81
                                                                                APIs
                                                                                • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                  • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 2673540737-0
                                                                                • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                • String ID:
                                                                                • API String ID: 3526213481-0
                                                                                • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                APIs
                                                                                • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                  • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                  • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                • sqlite3_step.SQLITE3 ref: 60969197
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                • String ID:
                                                                                • API String ID: 2877408194-0
                                                                                • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                APIs
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 024E24A9
                                                                                • RtlEnterCriticalSection.NTDLL(?), ref: 024E24B8
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 024E24CD
                                                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 024E24D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                • String ID:
                                                                                • API String ID: 4018804020-0
                                                                                • Opcode ID: 06fd7ed37d3bb7b075e75ab8e54fb1bf7bbe8753e313900d7f60ac71ff0993ff
                                                                                • Instruction ID: 84319e8462b80c9ec0038f4b8fb749b620d4b4d5085904f3d3f5469c3431ffd0
                                                                                • Opcode Fuzzy Hash: 06fd7ed37d3bb7b075e75ab8e54fb1bf7bbe8753e313900d7f60ac71ff0993ff
                                                                                • Instruction Fuzzy Hash: E3F03C72640209AFDB00AF69EC98FAABBACFF45711F40841AFA05C6149D771E564CFA4
                                                                                APIs
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID:
                                                                                • API String ID: 1477753154-0
                                                                                • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E2009
                                                                                • RtlDeleteCriticalSection.NTDLL(?), ref: 024E2028
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024E2037
                                                                                • CloseHandle.KERNEL32(00000000), ref: 024E204E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                • String ID:
                                                                                • API String ID: 2456309408-0
                                                                                • Opcode ID: d22b196e322eb93c528473f004a54a227aadbef28bf41243d2c4bee377a33d7a
                                                                                • Instruction ID: 48eaf34d5475ca9a1978fa258d07a9138168d2a7f4a217fe4b8599e1f7a7948d
                                                                                • Opcode Fuzzy Hash: d22b196e322eb93c528473f004a54a227aadbef28bf41243d2c4bee377a33d7a
                                                                                • Instruction Fuzzy Hash: A6018F318006009BDB24EF14EC88BAABBF9FB04305F00091EE94382594CBB06648CE98
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$H_prologSleep
                                                                                • String ID:
                                                                                • API String ID: 1765829285-0
                                                                                • Opcode ID: 60d2c33f5e4ba86e829eaa499b3e2350512ba70e32a15ee7663fd36c45de1d7e
                                                                                • Instruction ID: ac8986637403c611229230db2a5dcf698c4a09b14cc59fb8ba0dc2425b41fa40
                                                                                • Opcode Fuzzy Hash: 60d2c33f5e4ba86e829eaa499b3e2350512ba70e32a15ee7663fd36c45de1d7e
                                                                                • Instruction Fuzzy Hash: 79F06D31A40100EFCB009F94DCD8B9CBBA4FF09311F0081A9F9098B280C7309804CAA5
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: into$out of
                                                                                • API String ID: 632333372-1114767565
                                                                                • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmove
                                                                                • String ID: &'
                                                                                • API String ID: 3529519853-655172784
                                                                                • Opcode ID: e842f55f31ae7c0d36d15b558c9de29f380301e84e932689d2c4c2620f134715
                                                                                • Instruction ID: 51a09ac96782159212964ce567395f6f844ea177080f3fb496a4def36343f770
                                                                                • Opcode Fuzzy Hash: e842f55f31ae7c0d36d15b558c9de29f380301e84e932689d2c4c2620f134715
                                                                                • Instruction Fuzzy Hash: 02616B71D00209DFEF20DFA5C981AAEFBB6AF58711F10416FD50AAB290D7709A45CF61
                                                                                APIs
                                                                                  • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_freesqlite3_value_text
                                                                                • String ID: (NULL)$NULL
                                                                                • API String ID: 2175239460-873412390
                                                                                • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: -- $d
                                                                                • API String ID: 632333372-777087308
                                                                                • Opcode ID: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                • Instruction ID: d45f625f7ed72e8bd0cbe86fb5af212c953cff4c7e5ffbb26f6c4a79540968e1
                                                                                • Opcode Fuzzy Hash: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                                • Instruction Fuzzy Hash: FB51F674A043689BDB26CF28C980789BBFABF55304F1481D9E89CAB341C7759E85CF40
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,00000000), ref: 00405BB3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID: $
                                                                                • API String ID: 1807457897-3032137957
                                                                                • Opcode ID: 8be919fd1f317d968f1dd7194145b7f748f3cf7c70e6a819b272ea0fad10816c
                                                                                • Instruction ID: a56a174cbc4f2354ce51958eba1d0621761effbb059f2287080cdd9d93e72df2
                                                                                • Opcode Fuzzy Hash: 8be919fd1f317d968f1dd7194145b7f748f3cf7c70e6a819b272ea0fad10816c
                                                                                • Instruction Fuzzy Hash: 974168300187589AFB119764CD89BFB3FA8DB05700F1400FAD986FB1D3C23949589FAA
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: string or blob too big$|
                                                                                • API String ID: 632333372-330586046
                                                                                • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                APIs
                                                                                  • Part of subcall function 024E2D39: WSASetLastError.WS2_32(00000000), ref: 024E2D47
                                                                                  • Part of subcall function 024E2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 024E2D5C
                                                                                • WSASetLastError.WS2_32(00000000), ref: 024E2E6D
                                                                                • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 024E2E83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Sendselect
                                                                                • String ID: 3'
                                                                                • API String ID: 2958345159-280543908
                                                                                • Opcode ID: 97cc9e91c866ae8fe6c418afa760553c470f33963f48506b3136d1ef5a8cbdc6
                                                                                • Instruction ID: 6938766fb93d955348930059d02f1ef6f1f6c2e505b81c348e651a404f06884c
                                                                                • Opcode Fuzzy Hash: 97cc9e91c866ae8fe6c418afa760553c470f33963f48506b3136d1ef5a8cbdc6
                                                                                • Instruction Fuzzy Hash: F931D0B0E002099FFF10EF65C814BEF7BAAAF44356F004A5BDD0A93240E7B499558FA0
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_logsqlite3_value_text
                                                                                • String ID: string or blob too big
                                                                                • API String ID: 2320820228-2803948771
                                                                                • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,024E73CE,?,?,00000000), ref: 024E86CC
                                                                                • getsockname.WS2_32(?,?,?), ref: 024E86E2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastgetsockname
                                                                                • String ID: &'
                                                                                • API String ID: 566540725-655172784
                                                                                • Opcode ID: a828675b909f1bbc165fd72b5caef62cf531d34492a32bd9b0b6ae111c6445e6
                                                                                • Instruction ID: 371ba205970191a80790ed1426973c2efb9217a9d0221242d820396e36f318e2
                                                                                • Opcode Fuzzy Hash: a828675b909f1bbc165fd72b5caef62cf531d34492a32bd9b0b6ae111c6445e6
                                                                                • Instruction Fuzzy Hash: 66215172A00208AFEF10DF79D854ACEB7F5FF48325F11856AE919EB390D730A9458B94
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024EBCB0
                                                                                  • Part of subcall function 024EC28C: std::exception::exception.LIBCMT ref: 024EC2BB
                                                                                  • Part of subcall function 024ECA42: __EH_prolog.LIBCMT ref: 024ECA47
                                                                                  • Part of subcall function 024F27B5: _malloc.LIBCMT ref: 024F27CD
                                                                                  • Part of subcall function 024EC2EB: __EH_prolog.LIBCMT ref: 024EC2F0
                                                                                Strings
                                                                                • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 024EBCE6
                                                                                • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 024EBCED
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_mallocstd::exception::exception
                                                                                • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                • API String ID: 1953324306-1943798000
                                                                                • Opcode ID: 4a988328aeb30608f156822bd235c66f462a00fcc136a13373507063e0545174
                                                                                • Instruction ID: 7560403b1bd21c0f9495053d4f20bcdcb389f4117d1e9591a5941d1a21d9cfe8
                                                                                • Opcode Fuzzy Hash: 4a988328aeb30608f156822bd235c66f462a00fcc136a13373507063e0545174
                                                                                • Instruction Fuzzy Hash: 8A217E71D002489AEF08EFE5D894AEEBBF5FF54705F04445EE916AB280DB705A04CF95
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024EBDA5
                                                                                  • Part of subcall function 024EC363: std::exception::exception.LIBCMT ref: 024EC390
                                                                                  • Part of subcall function 024ECB79: __EH_prolog.LIBCMT ref: 024ECB7E
                                                                                  • Part of subcall function 024F27B5: _malloc.LIBCMT ref: 024F27CD
                                                                                  • Part of subcall function 024EC3C0: __EH_prolog.LIBCMT ref: 024EC3C5
                                                                                Strings
                                                                                • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 024EBDE2
                                                                                • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 024EBDDB
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$_mallocstd::exception::exception
                                                                                • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                • API String ID: 1953324306-412195191
                                                                                • Opcode ID: b48a4e1cfc73dc20546cf66ba848f8a225a42813af5fc7ae1ead6062a6e62315
                                                                                • Instruction ID: 96b0d2291c7a50d73134649f89601b7a2e8fa48c1f66ec4343c667d2a44412c4
                                                                                • Opcode Fuzzy Hash: b48a4e1cfc73dc20546cf66ba848f8a225a42813af5fc7ae1ead6062a6e62315
                                                                                • Instruction Fuzzy Hash: 63218071E002089AEF08EFE5D894AEEBBF5FF54704F04455EE916A7380DBB05A04CB95
                                                                                APIs
                                                                                • WSASetLastError.WS2_32(00000000), ref: 024E2AEA
                                                                                • connect.WS2_32(?,?,?), ref: 024E2AF5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastconnect
                                                                                • String ID: 3'
                                                                                • API String ID: 374722065-280543908
                                                                                • Opcode ID: c3b2f09cf1ec045d007a92c866c02b19ac6508f91e52fca919bc16c29b7528b1
                                                                                • Instruction ID: ff7f3cf17305d2d1b8dd4205e65ccd7bf5e7347bbd11b6a179e9a98057c5334f
                                                                                • Opcode Fuzzy Hash: c3b2f09cf1ec045d007a92c866c02b19ac6508f91e52fca919bc16c29b7528b1
                                                                                • Instruction Fuzzy Hash: FD218671E00204AFEF14EF75D4146AE7BBAAF44326F00469FDC1A93384DBB449059F91
                                                                                APIs
                                                                                • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                • String ID:
                                                                                • API String ID: 3265351223-3916222277
                                                                                • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_stricmp
                                                                                • String ID: log
                                                                                • API String ID: 912767213-2403297477
                                                                                • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E396A
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 024E39C1
                                                                                  • Part of subcall function 024E1410: std::exception::exception.LIBCMT ref: 024E1428
                                                                                  • Part of subcall function 024E961A: __EH_prolog.LIBCMT ref: 024E961F
                                                                                  • Part of subcall function 024E961A: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 024E962E
                                                                                  • Part of subcall function 024E961A: __CxxThrowException@8.LIBCMT ref: 024E964D
                                                                                Strings
                                                                                • Day of month is not valid for year, xrefs: 024E39AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Day of month is not valid for year
                                                                                • API String ID: 1404951899-1521898139
                                                                                • Opcode ID: 991e1790db290e7c826ba6ec0f24d0c2a675d67d4ee75e27ef650723beabae6d
                                                                                • Instruction ID: 83affe8ebadf0c37168d79cbd637c96fe05ff02e704ef52982be5b522fd6ca30
                                                                                • Opcode Fuzzy Hash: 991e1790db290e7c826ba6ec0f24d0c2a675d67d4ee75e27ef650723beabae6d
                                                                                • Instruction Fuzzy Hash: 1B01B17A910249AAEF00EFA5D841AEFB7B9FF18711F40451BEC0597280EB704B51CBA5
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_strnicmp
                                                                                • String ID: SQLITE_
                                                                                • API String ID: 1961171630-787686576
                                                                                • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                APIs
                                                                                • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                Strings
                                                                                • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                • String ID: Invalid argument to rtreedepth()
                                                                                • API String ID: 1063208240-2843521569
                                                                                • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                APIs
                                                                                • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                  • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                  • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                  • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                  • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                • String ID: soft_heap_limit
                                                                                • API String ID: 1251656441-405162809
                                                                                • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                APIs
                                                                                • std::exception::exception.LIBCMT ref: 024EEB16
                                                                                • __CxxThrowException@8.LIBCMT ref: 024EEB2B
                                                                                  • Part of subcall function 024F27B5: _malloc.LIBCMT ref: 024F27CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                • String ID: bad allocation
                                                                                • API String ID: 4063778783-2104205924
                                                                                • Opcode ID: 60a3e383acaf19def63c4acec2928a4fc06b6d5714fa39c7ec069b1a2bf3a9ae
                                                                                • Instruction ID: 2eb00bbc21f4fdb7f41dbc2d8d85c3dde19a3153a7c7f5f28607c1d14faf76e8
                                                                                • Opcode Fuzzy Hash: 60a3e383acaf19def63c4acec2928a4fc06b6d5714fa39c7ec069b1a2bf3a9ae
                                                                                • Instruction Fuzzy Hash: 56F02E70600309A7AF05EA698D559EFB3ECAB40315F00055BE912D33C1FF70E5008555
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E3C1B
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 024E3C30
                                                                                  • Part of subcall function 024F14B7: std::exception::exception.LIBCMT ref: 024F14C1
                                                                                  • Part of subcall function 024E9653: __EH_prolog.LIBCMT ref: 024E9658
                                                                                  • Part of subcall function 024E9653: __CxxThrowException@8.LIBCMT ref: 024E9681
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                • String ID: bad cast
                                                                                • API String ID: 1300498068-3145022300
                                                                                • Opcode ID: 7959a62a7b44ac705dd185d44581a0ed0903c9bfe9d68780b8fd5ad6d5fa5bc8
                                                                                • Instruction ID: f3641c62cd8c0d4ed884cfce3fd397ddfe44035200a63f64340d30a79dd5f1a3
                                                                                • Opcode Fuzzy Hash: 7959a62a7b44ac705dd185d44581a0ed0903c9bfe9d68780b8fd5ad6d5fa5bc8
                                                                                • Instruction Fuzzy Hash: 6AF02732D00104CBCB09DF54C880AEEB775FF52311F0001AFED0A47290CB728905CAD1
                                                                                APIs
                                                                                • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: sqlite3_log
                                                                                • String ID: NULL
                                                                                • API String ID: 632333372-324932091
                                                                                • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E38D2
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 024E38F1
                                                                                  • Part of subcall function 024E1410: std::exception::exception.LIBCMT ref: 024E1428
                                                                                  • Part of subcall function 024E7987: _memmove.LIBCMT ref: 024E79A7
                                                                                Strings
                                                                                • Year is out of valid range: 1400..10000, xrefs: 024E38E0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Year is out of valid range: 1400..10000
                                                                                • API String ID: 3258419250-2344417016
                                                                                • Opcode ID: c36b954d043777adb44a79b8e7a6c27dcc1f237e8bdfe67f9bc0fb42a1cc4869
                                                                                • Instruction ID: 5d25e99ca72f3fa52710ce931a9786a7da2117b7dffe7708238783c66bfe9c0d
                                                                                • Opcode Fuzzy Hash: c36b954d043777adb44a79b8e7a6c27dcc1f237e8bdfe67f9bc0fb42a1cc4869
                                                                                • Instruction Fuzzy Hash: 6DE02232A002105BFF14AB958C91BEDB7B8EF08710F00018ED807632C0DAB11800CB88
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E3886
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 024E38A5
                                                                                  • Part of subcall function 024E1410: std::exception::exception.LIBCMT ref: 024E1428
                                                                                  • Part of subcall function 024E7987: _memmove.LIBCMT ref: 024E79A7
                                                                                Strings
                                                                                • Day of month value is out of range 1..31, xrefs: 024E3894
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Day of month value is out of range 1..31
                                                                                • API String ID: 3258419250-1361117730
                                                                                • Opcode ID: deb94e87421f64612762ddf466c4f3435b321b54dada6b40fa3d43651b86234c
                                                                                • Instruction ID: f04793c058c61ba0b2c86bf35cdc5adf2506b70ae2aa9422741c17c03743930c
                                                                                • Opcode Fuzzy Hash: deb94e87421f64612762ddf466c4f3435b321b54dada6b40fa3d43651b86234c
                                                                                • Instruction Fuzzy Hash: 6AE09272A4025457FB14AB95CC91BDDB7A9EB58711F00058ED807676C0DAB119448B95
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E391E
                                                                                • std::runtime_error::runtime_error.LIBCPMT ref: 024E393D
                                                                                  • Part of subcall function 024E1410: std::exception::exception.LIBCMT ref: 024E1428
                                                                                  • Part of subcall function 024E7987: _memmove.LIBCMT ref: 024E79A7
                                                                                Strings
                                                                                • Month number is out of range 1..12, xrefs: 024E392C
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                • String ID: Month number is out of range 1..12
                                                                                • API String ID: 3258419250-4198407886
                                                                                • Opcode ID: f381ffcfb414a48ef126d62f1e6ad4d5d4a97170590fe630bfbc3f477d658441
                                                                                • Instruction ID: 29885a4e8d27a74a2c7150f46108dcc96e1385de4f57a555783c529347ea8f89
                                                                                • Opcode Fuzzy Hash: f381ffcfb414a48ef126d62f1e6ad4d5d4a97170590fe630bfbc3f477d658441
                                                                                • Instruction Fuzzy Hash: 79E09272E401149BFB24ABA58C91BEEB7A9EB58711F00018ED807676C0DAB119448BD5
                                                                                APIs
                                                                                • TlsAlloc.KERNEL32 ref: 024E19CC
                                                                                • GetLastError.KERNEL32 ref: 024E19D9
                                                                                  • Part of subcall function 024E1712: __EH_prolog.LIBCMT ref: 024E1717
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocErrorH_prologLast
                                                                                • String ID: tss
                                                                                • API String ID: 249634027-1638339373
                                                                                • Opcode ID: 4c040a8ffcc5aaa3bcf954d281bc956db3e5342748a9a2c0c039de04ea218306
                                                                                • Instruction ID: c5fa8e91cd5fe7ba7f659bc52b4906cd90dc44f2fbbb899b9409b94a0bcdb024
                                                                                • Opcode Fuzzy Hash: 4c040a8ffcc5aaa3bcf954d281bc956db3e5342748a9a2c0c039de04ea218306
                                                                                • Instruction Fuzzy Hash: 20E08632D446105B96007B78AC595AFBB94AA45272F508B2BECAE832D4FA304D549FC6
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 024E3BD8
                                                                                • std::bad_exception::bad_exception.LIBCMT ref: 024E3BED
                                                                                  • Part of subcall function 024F14B7: std::exception::exception.LIBCMT ref: 024F14C1
                                                                                  • Part of subcall function 024E9653: __EH_prolog.LIBCMT ref: 024E9658
                                                                                  • Part of subcall function 024E9653: __CxxThrowException@8.LIBCMT ref: 024E9681
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3153140705.00000000024E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_24e1000_universalvc22.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                • String ID: bad cast
                                                                                • API String ID: 1300498068-3145022300
                                                                                • Opcode ID: 783bcf8a745ff4b3538033d2549ec7da366db0d9ee19290cba0eeb8a730a32dd
                                                                                • Instruction ID: 2e1c1f66ec26bdc96c4eb5acda132ac3ea5dc39b1dcc3593726277a535b23d66
                                                                                • Opcode Fuzzy Hash: 783bcf8a745ff4b3538033d2549ec7da366db0d9ee19290cba0eeb8a730a32dd
                                                                                • Instruction Fuzzy Hash: BAE09A70900149DBDB14EF54C981BBDBBB1FB55301F0081AEAD0A433D0CB304904CA86
                                                                                APIs
                                                                                • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404608
                                                                                • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040463C
                                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404656
                                                                                • HeapFree.KERNEL32(00000000,?,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040466D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3151812844.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000003.00000002.3151812844.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3151812844.000000000040F000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: AllocHeap$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 3499195154-0
                                                                                • Opcode ID: 2becd6c8e06833c8a4915773bf629a422f484b6d9e0f9157989f7b9aaac48440
                                                                                • Instruction ID: acd6d4547551bc59350702e4efe52eaae0a18fdbbc3be1f7c52cca1e76f34e40
                                                                                • Opcode Fuzzy Hash: 2becd6c8e06833c8a4915773bf629a422f484b6d9e0f9157989f7b9aaac48440
                                                                                • Instruction Fuzzy Hash: 35115E70210701DFC7208F28EE85A127BB5FB857207108A3DFA95E65F0D7769845DB08
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.3155022968.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                • Associated: 00000003.00000002.3154967782.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155193092.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155211224.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155242926.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155260686.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000003.00000002.3155340959.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_60900000_universalvc22.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2